Malware Insights
The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=does+quickbooks+have+an+income+statement'. This URL is presented within the document body, disguised as a search result. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to benign Shopify domains but are likely used to obscure the malicious redirector. The 'SE_INVOICE_LURE' heuristic further suggests a deceptive intent, likely to trick the user into clicking the malicious link under the guise of an invoice or financial document.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=does+quickbooks+have+an+income+statement
- https://2039082c-551e-4f40-b720-6b7d575e72ba.filesusr.com/ugd/a6e5e9_2c9c395576b5444c8067b59071226af0.pdf?index=true
- https://11ff1713-e3f3-464a-b765-0cc9a30cb665.filesusr.com/ugd/3c2969_c394feab753e4743a708cf622b2dbda1.pdf?index=true
- https://1189e396-f370-43e7-bef6-ec0c3010ba29.filesusr.com/ugd/3bf302_134f8385506b4b46a4a4e8e0ced84501.pdf?index=true
- https://cdn.shopify.com/s/files/1/0461/8141/7114/files/printable_weekly_planner_template_2019.pdf
- https://cdn.shopify.com/s/files/1/0429/3731/9590/files/57411285725.pdf
- https://cdn.shopify.com/s/files/1/0436/4215/9257/files/candombl_de_angola_rezas.pdf
- https://cdn.shopify.com/s/files/1/0435/8583/1080/files/86305520282.pdf
- https://cdn.shopify.com/s/files/1/0436/9452/2523/files/91524360664.pdf
- https://cdn.shopify.com/s/files/1/0437/3915/2535/files/windows_7_ultimate_activator_crack.pdf
- https://cdn.shopify.com/s/files/1/0433/6333/6350/files/coquette_regular_font_free.pdf
- https://cdn.shopify.com/s/files/1/0432/3934/2247/files/read_books_online_free_app_for_android.pdf
- https://cdn.shopify.com/s/files/1/0433/0301/0468/files/21432534925.pdf
- https://cdn.shopify.com/s/files/1/0434/1514/2567/files/rational_numbers_class_8_ncert.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000061f5.bin1dc297714959f7b3ada92b401cad546543a8c0a4b8834300f9db0da1a3d6fa84 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61F5 | 5300 bytes |
font_01_sfnt_off000073f4.bin8996e2ea54039a6d4fcd4517326d914afed354f5e26fa715a3145d1b08c337a8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73F4 | 10164 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.