MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a link farm and a direct link to a known malicious redirector, ttraff.cc. The document body, though heavily obfuscated, contains text suggesting it is an 'exam time table', which is a common lure. The redirector URL is likely used to lead the user to a phishing page or a site hosting further malicious content. The presence of numerous PDF links suggests a tactic to manipulate search engine results for increased visibility.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=btelinx+exam+time+table+2020+pdf
- http://zolodida.social-return.co.uk/uploads/1/3/1/3/131381464/01c54a.pdf
- http://files.sheuniquephotography.com/uploads/1/3/0/8/130813301/912abc238c4ce6e.pdf
- http://files.mrsudbury.com/uploads/1/3/0/7/130775280/b6319fa38f7.pdf
- http://files.whsnewschool.com/uploads/1/3/1/8/131871745/7047591.pdf
- http://files.votejasonmcguire.com/uploads/1/3/0/9/130969150/8c704ff8e016.pdf
- https://cdn.shopify.com/s/files/1/0432/5743/0176/files/angielski_w_tumaczeniach_czasy.pdf
- https://cdn.shopify.com/s/files/1/0427/8219/5879/files/siganuv.pdf
- https://cdn.shopify.com/s/files/1/0433/4577/2698/files/vogukosarujowugiz.pdf
- https://cdn.shopify.com/s/files/1/0432/4897/6032/files/gikegivirab.pdf
- https://cdn.shopify.com/s/files/1/0427/8855/2870/files/tome_of_the_cabal_vanilla.pdf
- https://cdn.shopify.com/s/files/1/0431/9202/5249/files/15407122818.pdf
- https://cdn.shopify.com/s/files/1/0444/0319/6070/files/understanding_analysis_2nd_edition.pdf
- https://cdn.shopify.com/s/files/1/0431/5004/9448/files/zamixanesemarajizu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55079075607.pdf
- https://cdn.shopify.com/s/files/1/0428/3708/2271/files/64218923728.pdf
- https://cdn.shopify.com/s/files/1/0433/3685/9813/files/pedibegudobule.pdf
- https://cdn.shopify.com/s/files/1/0435/1252/9055/files/96176099628.pdf
- https://cdn.shopify.com/s/files/1/0429/3050/3843/files/rifiwut.pdf
- https://cdn.shopify.com/s/files/1/0431/9015/7473/files/81598979590.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0444/0319/6070/files/understanding_a
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007622.bin6adec80a53899e0d07b7add87c50a48ba56c6cafdfe2c28aad28009aadc90325 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7622 | 5444 bytes |
font_01_sfnt_off000088a1.bin38004075296f4fea61acc63dcfdf428ecd76eab54d318fb7814d3a97a302a5b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x88A1 | 10408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.