MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a large number of external links, many of which point to a redirector service. The primary malicious URL identified is https://ttraff.me/wix?keyword=baker+street+alto+sax. This indicates a link farm attack designed to redirect users to potentially malicious content. No scripts were extracted, and the document body was heavily obfuscated.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=baker+street+alto+sax
- http://files.johannaparkhurst.com/uploads/1/3/0/7/130740011/6665601.pdf
- http://files.asianairspace.com/uploads/1/3/1/4/131408942/xewobizexusowe.pdf
- http://tasaxeg.fpcsallisawok.org/uploads/1/3/0/7/130776699/dodoretomuf-pupijewoj-tenebo.pdf
- https://8d2e94e6-4142-4745-ae85-8d00623739c2.filesusr.com/ugd/e6e573_0d4eba4de0fa488e9b34e1011285580d.pdf?index=true
- https://2b16f440-1710-4a98-9fc4-f107d79f24a8.filesusr.com/ugd/ce0e6d_c33bbb0a12454b4bb4cf1fbc22a725f2.pdf?index=true
- https://e31cd898-2999-47a3-87ae-df755bb8a24a.filesusr.com/ugd/e1c37d_0db8060fd5f14927972de2791339479a.pdf?index=true
- https://e424c7b8-07d7-4f8f-9a03-779f3de367b7.filesusr.com/ugd/9c58c5_7894293c0c7647df96d02413f4230454.pdf?index=true
- https://6d10264b-7127-448a-9b5c-8f955e4299a8.filesusr.com/ugd/f523c3_728263f33f9b48f58d66d0076f375bd0.pdf?index=true
- https://498b408a-669f-448f-b732-35b262930ebc.filesusr.com/ugd/23a6c3_3488dee78ea24edcb0d0ea6acbef51b5.pdf?index=true
- https://088f6345-07ed-4e72-bfd5-0386d2a4be34.filesusr.com/ugd/65e777_a2731887eb094d55a96500a2c4e9be93.pdf?index=true
- https://6d65c63c-560b-4926-afa0-3e8f571368fb.filesusr.com/ugd/595093_55194e2ede624d32a60e03ed3ed75e59.pdf?index=true
- https://cdn.shopify.com/s/files/1/0430/0010/3071/files/xusilowutotakufupuget.pdf
- https://cdn.shopify.com/s/files/1/0432/7679/6057/files/57698811916.pdf
- https://cdn.shopify.com/s/files/1/0435/0862/9659/files/karizefupu.pdf
- https://cdn.shopify.com/s/files/1/0432/0890/0768/files/zifezis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006048.bin3b17a85d84971f5805362184ba6a8cab1a94edb19fe8f68ebb5f4c7f00e249be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6048 | 4860 bytes |
font_01_sfnt_off000070e7.bin8e0757e70e305d9b990b5af39288f2b092c1279591d959e08bcf9c0f83a123ac |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x70E7 | 10432 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.