MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1566.002 Spearphishing Attachment
The PDF contains a lure instructing the user to enable macros or editing, a common technique to bypass security. It also features a mass external PDF link farm, with one critical link pointing to a known malicious redirector. The primary malicious URL is https://ttraff.cc/pify?keyword=edit+pdf+text+in+mac+preview, which likely leads to further malicious content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=edit+pdf+text+in+mac+preview
- http://dowore.spotonslgroup.com/uploads/1/3/1/0/131070590/99454b0634.pdf
- http://lefere.spaluxedayspa.com/uploads/1/3/1/4/131406437/mimitok-tapajat.pdf
- http://files.bestoftimeswatch.com/uploads/1/3/1/3/131379749/e4facd24be.pdf
- http://files.sansmarket.co/uploads/1/3/0/8/130813988/1653043.pdf
- https://cdn.shopify.com/s/files/1/0432/1227/5871/files/zosoxiketosinavog.pdf
- https://cdn.shopify.com/s/files/1/0429/9007/6057/files/lefijopusujinanoguke.pdf
- https://cdn.shopify.com/s/files/1/0432/3622/9278/files/royal_dutch_shell_annual_report.pdf
- https://cdn.shopify.com/s/files/1/0432/7761/5262/files/34216990872.pdf
- https://cdn.shopify.com/s/files/1/0432/7096/3350/files/53907974840.pdf
- https://cdn.shopify.com/s/files/1/0433/8856/7706/files/91998869631.pdf
- https://cdn.shopify.com/s/files/1/0434/5102/3526/files/54038792901.pdf
- https://cdn.shopify.com/s/files/1/0433/3764/6245/files/ridafusemiwarapime.pdf
- https://cdn.shopify.com/s/files/1/0432/2597/2904/files/green_day_jaded.pdf
- https://cdn.shopify.com/s/files/1/0433/9358/1212/files/buwogubavovozerotujepaka.pdf
- https://cdn.shopify.com/s/files/1/0440/6309/6984/files/mukugarisawoluje.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000065f5.bine2a08f560bf85ad955feb56c607d1579eed987c43c30bc4511933d6be31525de |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x65F5 | 4944 bytes |
font_01_sfnt_off000076b6.bindaec31fdad105387d9bb8dfd15a93ef04a60ec9d235795ead326c51d7a3730b5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76B6 | 10096 bytes |
font_02_sfnt_off00009974.bin3d0607dae75728782b25c9d3429baeb9be3c38959204d25c826753ffeaddf657 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9974 | 16460 bytes |
font_03_sfnt_off0000af53.binff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF53 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.