MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a lure related to an online exam form, which is a common tactic for phishing. It embeds a link to 'ttraff.com', identified as a malicious redirector. The document also contains a large number of external PDF links, many hosted on Shopify, suggesting a link farm for SEO manipulation or traffic redirection. No scripts were extracted, but the primary attack vector appears to be the malicious redirector link.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=bhavnagar+university+online+exam+form+2019
- http://files.brittanyrawls.com/uploads/1/3/0/9/130968984/nazubaxefedi-mavupagiro.pdf
- http://files.oftconcept.com/uploads/1/3/0/7/130776058/d0b74d493.pdf
- http://files.blaskapelle-milwaukee.com/uploads/1/3/0/7/130775053/77b56.pdf
- http://files.arttalkcollective.com/uploads/1/3/1/8/131872055/6c3b4ef9df751f.pdf
- http://files.blaskapelle-milwau
- https://cdn.shopify.com/s/files/1/0429/7192/2591/files/wifonegozononoguvorijasif.pdf
- https://cdn.shopify.com/s/files/1/0429/3941/6732/files/41632843906.pdf
- https://cdn.shopify.com/s/files/1/0431/1095/7210/files/razedezelumavozozizus.pdf
- https://cdn.shopify.com/s/files/1/0433/9240/1573/files/sapokor.pdf
- https://cdn.shopify.com/s/files/1/0437/2915/8295/files/dokiwivoledelakomezuka.pdf
- https://cdn.shopify.com/s/files/1/0441/0041/9736/files/25380824106.pdf
- https://cdn.shopify.com/s/files/1/0432/0745/8975/files/rewavowi.pdf
- https://cdn.shopify.com/s/files/1/0429/4203/8182/files/13622004745.pdf
- https://cdn.shopify.com/s/files/1/0434/2136/8482/files/7841579267.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60868594071.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6887/files/94739789175.pdf
- https://cdn.shopify.com/s/files/1/0431/2875/0234/files/11548348225.pdf
- https://cdn.shopify.com/s/files/1/0431/4189/0210/files/45046436272.pdf
- https://cdn.shopify.com/s/files/1/0432/3636/0351/files/gogotebapori.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000784e.bin03e34305c8085c623aa11336b55007426f7aa3234259c5a21dd7e6eb791b5e85 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x784E | 5824 bytes |
font_01_sfnt_off00008c0d.bin6ac47bffaa8172b3f2fea4507897d086901737f09152f16c26dfc4aa1ce6531f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8C0D | 10268 bytes |
font_02_sfnt_off0000af2e.binebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF2E | 16164 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.