MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=scotsman+guide+top+originators+2017'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including one to a Shopify domain. The document body, though heavily obfuscated, contains references to the malicious URL and other PDF links. The presence of a callback lure heuristic suggests a potential phishing or scam attempt, aiming to trick the user into interacting further.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=scotsman+guide+top+originators+2017
- https://cdn.shopify.com/s/files/1/0435/9494/0575/files/97769912310.pdf
- https://cdn.shopify.com/s/files/1/0429/1464/4127/files/mbbs_1st_year_all_books.pdf
- https://cdn.shopify.com/s/files/1/0435/3461/4688/files/donagapogijifawadixalu.pdf
- https://static.usrfiles.com/ugd/0d2908_b8117e18193041f0b84f5cea23931205.pdf
- https://static.usrfiles.com/ugd/e3ed1f_29ccaaff9e1d45e093ddb2a9a1168e0a.pdf
- https://static.usrfiles.com/ugd/33a16d_051772f176bf486ca7ed206c7a13f595.pdf
- https://static.usrfiles.com/ugd/cfa91a_b1651132855f4470bd7c1495fe7687a9.pdf
- https://static.usrfiles.com/ugd/b8c837_7d7af03a04d145f7a49d1f0b9cdc5789.pdf
- https://static.usrfiles.com/ugd/b8c837_6eb543a0a3fe47a0903e4561e1c80e64.pdf
- https://static.usrfiles.com/ugd/5ed537_8de6dccbe9ea4156af9758e9399d95db.pdf
- https://static.usrfiles.com/ugd/b8c837_1fdd3a5c605f4d6ab4e58f6f2fa293d4.pdf
- https://static.usrfiles.com/ugd/2f07a1_e2ad95a2a8264d28a571bfbfdce64ab3.pdf
- https://static.usrfiles.com/ugd/1df9ea_59b61a229ea94765bcd2562af0c8dd29.pdf
- https://static.usrfiles.com/ugd/b8c837_425f876c42304fc58deadb6123b02bf4.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a18.bin61197f3d5763bb96c67160b6530749833d6d7a5e682a0b9a9c40c61af31825f1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A18 | 5872 bytes |
font_01_sfnt_off00007e02.bin046006ad2d08ba15b8050d417d75595df2c8859c1ac3eaca76839d3533cd77a9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E02 | 11596 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.