MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=house+sale+agreement+format+in+tamil'. This URL is embedded within the document body, which also contains text related to a 'house sale agreement format in tamil', suggesting a lure. The file also exhibits characteristics of a link farm, with numerous embedded links to static.usrfiles.com, though these appear to be benign. The primary malicious indicator is the redirector URL, likely intended to lead the user to a malicious site.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=house+sale+agreement+format+in+tamil
- https://static.usrfiles.com/ugd/d17951_18af92c8124f4b668650329e2b836cba.pdf
- https://static.usrfiles.com/ugd/b52961_28e909cf252844ab91af09197bda86ab.pdf
- https://static.usrfiles.com/ugd/b8c837_362636c542d14cf99d234a49f50086fc.pdf
- https://static.usrfiles.com/ugd/77eba6_93b5b13b06a342fb9aedada6e4ebfa18.pdf
- https://static.usrfiles.com/ugd/a48928_f88e4cd388d1499cbe1d9899a70909eb.pdf
- https://static.usrfiles.com/ugd/b8c837_bf5208196d7941bab4c767336e1eadb9.pdf
- https://static.usrfiles.com/ugd/43d598_403366c794254690b1a3b0614afaecc4.pdf
- https://static.usrfiles.com/ugd/de3d83_8a567d21b9244a3581dd5a5648418d47.pdf
- https://static.usrfiles.com/ugd/97368a_5f07fd45dd2d477396de3ff4b220ae40.pdf
- https://static.usrfiles.com/ugd/b8c837_b8e4ae36c5374a73b9f1ceb5e9ffd61c.pdf
- https://static.usrfiles.com/ugd/f96b02_e5e72128cd104a5ea80b73ce023b001f.pdf
- https://static.usrfiles.com/ugd/b8c837_f166e2c1d215496f9fdefdc1a5be1c93.pdf
- https://static.usrfiles.com/ugd/97634b_86228918a3d64e6fb1c9864088b62e50.pdf
- https://cdn.shopify.com/s/files/1/0433/2421/1354/files/87221040470.pdf
- https://cdn.shopify.com/s/files/1/0430/4168/5665/files/25464571834.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000697d.bina17885b4fd577e0298a64705d5055d2ac7c2363fd7008e9cf236b3df412a17d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x697D | 2828 bytes |
font_01_sfnt_off00007377.bin985f54a9a2fa5a5b0da04068c11fcc45ee25d95d50208c0e58b84532f30e0b82 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7377 | 5048 bytes |
font_02_sfnt_off0000848b.binbd916e4e68fcd35e1ce644c9a509b8ede0c194864e0c683020a0daf7bb4ccff2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x848B | 10116 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.