MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a search result for boiler information. The document also contains a large number of external PDF links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning attempt. No scripts were extracted, but the primary malicious activity appears to be redirecting the user to a harmful site.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=worcester+greenstar+24i+system+boiler+pdf
- http://gobovusi.patrickrheck.com/uploads/1/3/1/4/131438142/xovazodawo_rimurizigozewa_sijigopure.pdf
- http://files.boudoirsbyian.com/uploads/1/3/1/6/131607093/zesizufovafoxut_bulom_dosojodabel.pdf
- http://files.christinehenseler.com/uploads/1/3/1/0/131070560/4154151.pdf
- http://files.sweethavenlavender.com/uploads/1/3/1/6/131637850/gusigebuliz_bexiwipobifi.pdf
- http://files.62squadron.com/uploads/1/3/1/3/131384145/3308639.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7872/files/genapujoxuzelemudid.pdf
- https://cdn.shopify.com/s/files/1/0434/8038/3653/files/80295055286.pdf
- https://cdn.shopify.com/s/files/1/0428/1335/8247/files/xefegonorujuguke.pdf
- https://cdn.shopify.com/s/files/1/0432/9301/6232/files/46353422985.pdf
- https://cdn.shopify.com/s/files/1/0430/4273/4237/files/48419669300.pdf
- https://cdn.shopify.com/s/files/1/0431/0319/1193/files/50447162473.pdf
- https://cdn.shopify.com/s/files/1/0446/3670/0835/files/work_rules_laszlo_bock_espaol.pdf
- https://cdn.shopify.com/s/files/1/0435/1901/7124/files/18709867641.pdf
- https://cdn.shopify.com/s/files/1/0435/2871/6439/files/24863824616.pdf
- https://cdn.shopify.com/s/files/1/0449/4550/6459/files/deep_learning_free_download.pdf
- https://cdn.shopify.com/s/files/1/0436/0175/6323/files/tewusaz.pdf
- https://cdn.shopify.com/s/files/1/0429/2155/8183/files/digital_image_processing_gonzalez_3rd_edition.pdf
- https://cdn.shopify.com/s/files/1/0430/6901/4165/files/eileen_wellstone_snopes.pdf
- https://cdn.shopify.com/s/files/1/0434/4145/5254/files/33470352805.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000059b2.bine5f105699b9bb8fc74057db2863d9c5c7b53bd1e429b95c7b073109b8c42f7dc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x59B2 | 5740 bytes |
font_01_sfnt_off00006d37.bin5b8711dbb9b4c090957a13ad126b9cd569f0383cc5c16b80cb7f95e8800ce743 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D37 | 10056 bytes |
font_02_sfnt_off00008f65.bind1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F65 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.