MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1204.001 Malicious Link
T1566.002 Spearphishing Attachment
The PDF contains a mass of external links, including one to a known malicious redirector at ttraff.cc. The document body and heuristics suggest a lure for remote support tools, likely intended to trick the user into downloading and executing further malicious payloads. No scripts were extracted, limiting the analysis of specific execution chains.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=minecraft+rpg+servers+with+classes+and+races
- http://files.joannesscott.com/uploads/1/3/0/9/130969591/loxexakuvarodan.pdf
- http://files.mosim.org/uploads/1/3/0/7/130738559/9522104.pdf
- http://files.behindthebitshowclothing.com/uploads/1/3/0/7/130775867/9200441.pdf
- http://files.finksdeli.org/uploads/1/3/2/7/132741222/5b0259.pdf
- https://cdn.shopify.com/s/files/1/0431/4578/9600/files/gadepixazixagavimi.pdf
- https://cdn.shopify.com/s/files/1/0434/3519/6566/files/90791471687.pdf
- https://cdn.shopify.com/s/files/1/0433/7798/3653/files/xomemojizosinisuzumuxab.pdf
- https://cdn.shopify.com/s/files/1/0430/5013/9801/files/bovitalu.pdf
- https://cdn.shopify.com/s/files/1/0434/4417/5013/files/tofokerivepilazesip.pdf
- https://cdn.shopify.com/s/files/1/0437/6231/9521/files/osrs_amethyst_broad_bolts.pdf
- https://cdn.shopify.com/s/files/1/0435/9258/1288/files/67896070625.pdf
- https://cdn.shopify.com/s/files/1/0434/1999/2222/files/75115580205.pdf
- https://cdn.shopify.com/s/files/1/0433/0615/6190/files/basamojowolixewi.pdf
- https://cdn.shopify.com/s/files/1/0431/0233/9232/files/vimawovazakizuwokisile.pdf
- https://cdn.shopify.com/s/files/1/0431/2816/0413/files/15206095318.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30347825404.pdf
- https://cdn.shopify.com/s/files/1/0434/4774/6721/files/91090467084.pdf
- https://cdn.shopify.com/s/files/1/0434/0239/5798/files/25791459065.pdf
- https://cdn.shopify.com/s/files/1/0433/0081/4998/files/89113938687.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007fb5.bindb31b6b0b3b18061b9dd1f888b7a20126e871f3044a60d7d7c613e2df3925b1f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7FB5 | 5576 bytes |
font_01_sfnt_off000092c8.bin4da8cc92e4cbeda4a34810f04645d966876df3b87db3ccf6447229dfb51d1611 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x92C8 | 10748 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.