MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204 User Execution
T1204.002 User Execution: Malicious File
T1566 Phishing
T1566.001 Phishing: Spearphishing Attachment
T1059 Command and Scripting Interpreter
T1059.005 Command and Scripting Interpreter: Visual Basic
The PDF file contains a lure instructing the user to enable macros or editing, a common technique for malware droppers. It also hosts a large number of external PDF links, many pointing to Shopify domains, suggesting a link farm for SEO manipulation or to host further malicious content. The primary malicious URL identified is https://ttraff.com/wix?keyword=debt+snowball+worksheet+for+mac, which is flagged as a known malicious redirector. The document body itself contains garbled text but includes the malicious URL and several benign-looking PDF links.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=debt+snowball+worksheet+for+mac
- https://cdn.shopify.com/s/files/1/0431/4418/3974/files/witasolukakazuta.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xedatojif.pdf
- https://cdn.shopify.com/s/files/1/0427/9389/4044/files/93170668429.pdf
- https://cdn.shopify.com/s/files/1/0449/6100/5736/files/aaoifi_accounting_standards.pdf
- https://cdn.shopify.com/s/files/1/0436/4363/3822/files/75119920053.pdf
- https://static.usrfiles.com/ugd/b8c837_bfe4b25bd3ae4f6299dd6680bcdcd65b.pdf
- https://static.usrfiles.com/ugd/9ec29b_da177aaf4cf64764b08f49e386ac2591.pdf
- https://static.usrfiles.com/ugd/b8c837_1c0b666fe00649d2ad93306a2b54fbd8.pdf
- https://static.usrfiles.com/ugd/191a6d_d5b7fe06343a413f9da9b46d468c25ca.pdf
- https://static.usrfiles.com/ugd/df73ab_a1c03abc38eb47c6a8ce4487532f6fc1.pdf
- https://cdn.shopify.com/s/files/1/0432/5530/0249/files/50059122171.pdf
- https://cdn.shopify.com/s/files/1/0437/9171/2405/files/dj_lobo_bachata_mix.pdf
- https://cdn.shopify.com/s/files/1/0428/6991/5814/files/list_of_freshwater_aquarium_fish_species.pdf
- https://cdn.shopify.com/s/files/1/0432/4114/4483/files/attack_on_titan_explained.pdf
- https://static.usrfiles.com/ugd/b7ed05_0bcf20a1c40947cf8e5fcaad20759b98.pdf
- https://static.usrfiles.com/ugd/affb4a_702f954e116b461aa2644465f8477123.pdf
- https://static.usrfiles.com/ugd/4bdc6d_94c1d0183a7347a58fa1d6c439d5e917.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000072f3.bin67e5dcedefa749e03da905c114f5eaf3a7ced731c33347d97af13c07b0bcc46e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72F3 | 5416 bytes |
font_01_sfnt_off0000854f.bin3820abb0273644bcfbf135f36ec84dfe61a8ef081a21bff60de96c6e80473a17 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x854F | 10420 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.