MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.me'. The document body, though heavily obfuscated, contains text related to 'worksheet answers world history' and the malicious URL itself, suggesting a lure. The PDF also contains a large number of external links, many hosted on Shopify, which is flagged as a link farm. The primary malicious IOC is the redirector URL.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=who+am+i+worksheet+answers+world+history
- https://cdn.shopify.com/s/files/1/0439/3759/5560/files/download_simple_prayer_book.pdf
- https://cdn.shopify.com/s/files/1/0440/4382/9398/files/neural_camera_for_android.pdf
- https://cdn.shopify.com/s/files/1/0434/6675/2164/files/oasis_episode_2_release_date.pdf
- https://cdn.shopify.com/s/files/1/0430/0737/7561/files/gasulevozeputisupiw.pdf
- https://fa3edac8-aad3-4df5-84c6-a48505743e61.filesusr.com/ugd/1479de_703c01998a2a40cfa40f6e14ab559000.pdf?index=true
- https://82f720f3-4de7-4549-aec2-01adab16636e.filesusr.com/ugd/455f95_ed6254b86e904d9fb4e95aeacf270bd4.pdf?index=true
- https://944a3776-319b-435c-819a-64260d6663c5.filesusr.com/ugd/21a131_dc203799dc9446b5979bdd24c3e56e5a.pdf?index=true
- https://e8b5a179-3cd2-47da-9cf3-e812711d9f91.filesusr.com/ugd/2c76f4_a0a41fe3f0a34072ae1d1d7b4778534c.pdf?index=true
- https://cdn.shopify.com/s/files/1/0433/4161/1159/files/53202450219.pdf
- https://cdn.shopify.com/s/files/1/0436/3413/1104/files/mercedes_e240_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/8062/1985/files/tezozusafetixarejinakaju.pdf
- https://cdn.shopify.com/s/files/1/0432/6955/4332/files/zetud.pdf
- https://96a73778-c59e-45a1-86f6-58d513b3964d.filesusr.com/ugd/1e4819_71e6d6a828944c4fbcfeb29a0f9e9547.pdf?index=true
- https://e82ffc84-9ae8-4b01-809a-3df7b790ba8b.filesusr.com/ugd/05900a_8dc04a42ded249fe8f0122025194171a.pdf?index=true
- https://2d827acc-73cf-4c04-94f8-8f1278ae39f0.filesusr.com/ugd/f34823_f7b09990647e49d6be00da02c36c0fab.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://944a3776-319b-435c-819a-64260d6663c5.filesusr.com/ugd/21a131_dc203799dc9446b5979bdd24c3e56e5a
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off000099cb.bineb59ae8b460097c14201d0d4ce862a0be277ac04e1b4790ee3dd590006a27384 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x99CB | 17676 bytes |
font_00_sfnt_off0000646f.bina8b734d357b307adb92c5cfbe6416275e03db12a1c006c54704e92aff16e2318 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x646F | 5336 bytes |
font_01_sfnt_off00007680.bin8b5cc462f99a3027de66754ac9cb9f3f469a214b70baca0e74a8ee3a8eaf02c0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7680 | 10332 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.