MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains embedded JavaScript and multiple external links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'current affairs pdf' and a URL that matches the malicious redirector. The presence of a 'download button' heuristic further supports the lure mechanism. The primary malicious IOC is the ttraff.ru redirector, which likely leads to further malicious content.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=up+current+affairs+2020+in+english+pdf
- http://files.talmygroup.com/uploads/1/3/1/4/131453100/d4ad48f849eab.pdf
- http://files.handfedapp.com/uploads/1/3/1/6/131637606/bf6cc4.pdf
- http://files.sanbernardinohandyman.org/uploads/1/3/1/3/131379382/vusem.pdf
- http://files.naturallogicskincare.com/uploads/1/3/1/6/131607027/mugajudatikewuz.pdf
- https://cdn.shopify.com/s/files/1/0432/5939/6254/files/19285848956.pdf
- https://cdn.shopify.com/s/files/1/0430/2739/8807/files/vemina.pdf
- https://cdn.shopify.com/s/files/1/0431/9064/8996/files/anders_zorn_sweden_s_master_painter.pdf
- https://cdn.shopify.com/s/files/1/0432/6604/8165/files/73832775552.pdf
- https://cdn.shopify.com/s/files/1/0432/5857/7046/files/xugodes.pdf
- https://cdn.shopify.com/s/files/1/0431/9058/3464/files/playboy_the_masion_game.pdf
- https://cdn.shopify.com/s/files/1/0434/5711/8374/files/paramore_playing_god.pdf
- https://cdn.shopify.com/s/files/1/0429/4849/3475/files/toyota_rav4_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vukabisozudetilo.pdf
- https://cdn.shopify.com/s/files/1/0431/8062/1985/files/32835876771.pdf
- https://cdn.shopify.com/s/files/1/0430/0275/7281/files/pesexemezugaduvufagijifan.pdf
- https://cdn.shopify.com/s/files/1/0439/2170/3067/files/star_trek_encyclopedia_download_free.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007ca9.bin6d71650bdafeecf8fc4cad6ee6f1f1481fc13887ef73b460cc21fd9592fe4a3a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7CA9 | 5684 bytes |
font_01_sfnt_off00008ff6.binb535aceb32d383da4ffe80816d2ddc1bab97340787c4aaa0eb715c8f60cde15d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FF6 | 10352 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.