MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one specifically identified as a malicious redirector pointing to 'https://ttraff.com/pify?keyword=check+whether+homebrew+is+installed'. The document also includes a heuristic indicating it's part of a password-protected archive lure, suggesting the PDF itself is a decoy to prompt the user to open a separate, likely malicious, archive. The presence of a link farm further supports a malicious distribution intent.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=check+whether+homebrew+is+installed
- http://files.sysenartworks.net/uploads/1/3/0/7/130740217/fodevarimafuvosum.pdf
- http://files.vizadvantage.com/uploads/1/3/2/3/132303150/cefcd70.pdf
- http://files.antengineering.com.au/uploads/1/3/1/4/131455475/duxasugefini-jodajolob.pdf
- https://cdn.shopify.com/s/files/1/0427/6636/8935/files/wonazada.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mefopevepal.pdf
- https://cdn.shopify.com/s/files/1/0432/4950/0315/files/jiruzofolelowagipiviz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99289858455.pdf
- https://cdn.shopify.com/s/files/1/0427/9874/3719/files/78863511719.pdf
- https://cdn.shopify.com/s/files/1/0430/7881/1810/files/automotive_technology_4th_edition_free.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/56966684837.pdf
- https://cdn.shopify.com/s/files/1/0431/0840/1316/files/22784463355.pdf
- https://cdn.shopify.com/s/files/1/0440/5533/0981/files/40190280994.pdf
- https://cdn.shopify.com/s/files/1/0437/0992/3480/files/kexazugexeti.pdf
- https://cdn.shopify.com/s/files/1/0430/8185/9225/files/mokowexu.pdf
- https://cdn.shopify.com/s/files/1/0432/5074/5512/files/7877652272.pdf
- https://cdn.shopify.com/s/files/1/0430/6462/3265/files/25249048853.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b2b4.bin8ce5f45be7b99018d073b781cee3c429518be0918058d4d4e8e3a8f29c9c55c7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB2B4 | 5380 bytes |
font_01_sfnt_off0000c4d2.bin0d9fe11318acc6bee60e7a0c04c40551a8bb1823277991e2c1da9f63e7481183 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC4D2 | 2452 bytes |
font_02_sfnt_off0000cf89.bin76f64df86c1f933cf847a8fdd3e706d569f5c28b043b537ffd1455bc09baa6d9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCF89 | 19192 bytes |
font_03_sfnt_off00010791.binda41edb8949663296740ecf0cc75f40ae9536753316b3723132843d109c41233 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10791 | 16460 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.