MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF document contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.cc'. It also exhibits characteristics of a fake invoice or payment lure. The document body, though heavily obfuscated, contains a URL that appears to be the same as the malicious redirector. The presence of numerous external PDF links, many hosted on shopify.com, suggests a link farm designed to obscure the ultimate destination or to appear as legitimate content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=ysrrythubarosa+gov+rbapp+reports+payment+status
- http://dofibitab.southactorsguide.com/uploads/1/3/0/8/130873995/3568445.pdf
- http://fopoju.flowersfromsarahsgarden.com/uploads/1/3/0/7/130739892/vopemuvofe.pdf
- https://cdn.shopify.com/s/files/1/0429/9581/0455/files/welorubemodeva.pdf
- https://cdn.shopify.com/s/files/1/0431/0512/4516/files/besulo.pdf
- https://cdn.shopify.com/s/files/1/0435/4349/4815/files/ceragon_ip_10_commissioning.pdf
- https://cdn.shopify.com/s/files/1/0430/0649/2823/files/graphene_optical_properties.pdf
- https://cdn.shopify.com/s/files/1/0460/2911/1455/files/17936887785.pdf
- https://cdn.shopify.com/s/files/1/0437/6189/3533/files/enhancement_shaman_pvp_guide.pdf
- https://cdn.shopify.com/s/files/1/0431/8311/2341/files/abba_happy_new_year_piano_sheet.pdf
- https://cdn.shopify.com/s/files/1/0433/2853/6734/files/87775334304.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f22.bin33fe9347934a7b702044fccec5c4540ad7967176b1dd94488204aff9b2bf1d89 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F22 | 5464 bytes |
font_01_sfnt_off0000819e.binc9f2b0a7fe7c9874960658a67c604b1609ef31f451f9afaf6ac6894b78387137 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x819E | 32248 bytes |
font_02_sfnt_off0000c456.bin852fa33cbf858e79f79c7176a7e8ccdf49cfdaa447a847ad786595812eaf729b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC456 | 10080 bytes |
font_03_sfnt_off0000e708.bin6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE708 | 16164 bytes |
font_04_sfnt_off0000fc59.bin413cae8dc8a887cac241d3de3758f3f3dc95ed0159125f697a1688b886dc5ab7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC59 | 2568 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.