MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The primary malicious URL identified is https://ttraff.com/wb?keyword=arbitrage%20pricing%20theory%20model%20pdf, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to the same URL and other PDF files hosted on various domains, suggesting a coordinated effort to drive traffic to malicious infrastructure. No scripts were extracted, limiting the analysis of direct payload execution.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=arbitrage%20pricing%20theory%20model%20pdf
- http://lapuxevu.thisiskellymaryanski.com/uploads/1/3/1/3/131383483/110f7996ec3a692.pdf
- http://files.tsmfarms.com/uploads/1/3/2/8/132814400/pukukedomujonanude.pdf
- http://files.australianworkingadventures.com/uploads/1/3/0/7/130775953/c84e4c988.pdf
- http://files.pureloops.com/uploads/1/3/0/8/130814070/891860.pdf
- http://muxuteja.catholicapostolatecenter.org/uploads/1/3/0/9/130969754/6f4c4d7f9656.pdf
- https://cdn.shopify.com/s/files/1/0431/8694/6212/files/campus_security_officer_training_manual.pdf
- https://cdn.shopify.com/s/files/1/0428/2341/8019/files/access_consciousness_clearing_statement.pdf
- https://cdn.shopify.com/s/files/1/0438/1409/2960/files/simon_xt_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/2009/9488/files/how_to_make_a_csgo_config.pdf
- https://cdn.shopify.com/s/files/1/0430/6596/6754/files/zogug.pdf
- https://cdn.shopify.com/s/files/1/0451/9510/0311/files/agnieszka_szulim_piotr_woniak_starak.pdf
- https://cdn.shopify.com/s/files/1/0431/0974/4789/files/60320118089.pdf
- https://cdn.shopify.com/s/files/1/0429/6769/5509/files/82334851165.pdf
- https://cdn.shopify.com/s/files/1/0437/7437/8138/files/56882914572.pdf
- https://cdn.shopify.com/s/files/1/0429/2732/5343/files/daxedama.pdf
- https://cdn.shopify.com/s/files/1/0429/7513/3859/files/repaweg.pdf
- https://cdn.shopify.com/s/files/1/0443/1344/4508/files/camelia_jordana_moi_c_est.pdf
- https://cdn.shopify.com/s/files/1/0434/4178/2950/files/52788483555.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000073a1.bin1cca9e5b7b79f888cd2ce3cd199c8fa588cab4d6ade905526655d6be6e9c1c36 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x73A1 | 5624 bytes |
font_01_sfnt_off00008692.bin5e04d71f2e27e667c7ebc2d2cccf4b279d40a7cf9e23030536592dd2c2e39be2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8692 | 10476 bytes |
font_02_sfnt_off0000aa8e.bin04ebd1ec2e2f4e9ea29623c22e87970a706a29fd30c00d7970aa3ef8a2a4479b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAA8E | 16316 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.