MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a lure to install a browser extension or update, and includes a link to a redirector. This redirector leads to a URL that appears to be part of a link farm, ultimately pointing to a malicious domain. The document body, though heavily obfuscated, contains references to the malicious URL and benign-looking PDF files, suggesting a social engineering attempt to trick the user into downloading or accessing malicious content.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/pify?keyword=audio+editor+cutter
- https://static.usrfiles.com/ugd/dc51bb_cd883d64a2f746f4913c8b05f50bed7c.pdf
- https://static.usrfiles.com/ugd/b42fd6_64fa1f77c8e648d8b053512da30db695.pdf
- https://static.usrfiles.com/ugd/b8c837_c52825cdeb7a4195b3b19cbfbc2a66c6.pdf
- https://static.usrfiles.com/ugd/0a052f_42cc0cbaf8be404c9ce1a3145e3f39f7.pdf
- https://static.usrfiles.com/ugd/b8c837_37dda59325b84745b1f6d33c61e9f468.pdf
- https://static.usrfiles.com/ugd/469aea_e386c21ee21940a1a4c3c678ba2c8536.pdf
- https://static.usrfiles.com/ugd/c1615c_a205b4c97e0a491080b40ceb7c2e0e15.pdf
- https://static.usrfiles.com/ugd/23b571_48319fa5f1b24723b70384e3f853efb4.pdf
- https://cdn.shopify.com/s/files/1/0431/0020/9309/files/dirty_riddles_with_clean_answers.pdf
- https://cdn.shopify.com/s/files/1/0437/9302/3133/files/mewavizinidawu.pdf
- https://cdn.shopify.com/s/files/1/0432/9593/2574/files/22784390552.pdf
- https://cdn.shopify.com/s/files/1/0434/5652/8541/files/free_java_jre_1._8.pdf
- https://cdn.shopify.com/s/files/1/0432/7217/5781/files/50185604069.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000076d9.bin90c26a52a26f69efd0662e9d7250b0492cd970e845a452ae1e8a3b34ef5713f9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76D9 | 4500 bytes |
font_01_sfnt_off00008635.bin9d8ae4c91dde129b63f03335a299c808ad2160aaf4e0a5adaac828722b9862dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8635 | 10256 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.