MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one heuristic specifically flagging a link to known malicious redirector infrastructure (ttraff.ru). Another heuristic indicates a large number of external PDF links, suggesting a link farm. The document also employs social engineering tactics, luring the user to install a browser extension or update, and mentions password protection, indicating a multi-stage attack. The presence of a malicious redirector URL and the social engineering lures strongly suggest an attempt to deliver malware or steal credentials.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=chrome++speed+slow
- https://cdn.shopify.com/s/files/1/0430/9752/2329/files/kigixidam.pdf
- https://cdn.shopify.com/s/files/1/0434/1907/4712/files/three_days_grace_one-_x_songs.pdf
- https://cdn.shopify.com/s/files/1/0430/4610/9345/files/28257706424.pdf
- https://cdn.shopify.com/s/files/1/0433/4069/3662/files/ffxi_drg_guide.pdf
- https://cdn.shopify.com/s/files/1/0437/7329/6789/files/roxafuropow.pdf
- https://cdn.shopify.com/s/files/1/0438/9850/3336/files/corrugated_roof_sheeting_profile_dimensions.pdf
- https://cdn.shopify.com/s/files/1/0428/2246/7750/files/75464490568.pdf
- https://static.usrfiles.com/ugd/dc8a8e_bd27f5f82f8c43e5ba3c627d2294f54b.pdf
- https://static.usrfiles.com/ugd/b444d4_e62c6dc9ce1147608ff3fe96dc8cbf68.pdf
- https://static.usrfiles.com/ugd/704566_83a6b68b6929438a8752205e0ab4cd7d.pdf
- https://static.usrfiles.com/ugd/37428b_cf901d51973a4548b2de1110ab3801ba.pdf
- https://static.usrfiles.com/ugd/77941b_7dbc7e271b784edab8ba15659f1490f0.pdf
- https://static.usrfiles.com/ugd/565485_2bc6447929954eb59c86886e30723ab5.pdf
- https://static.usrfiles.com/ugd/345929_4c37a26cb7ae4464971a9aa5eb8b4019.pdf
- https://static.usrfiles.com/ugd/7c3584_400e10a99ac946bca4319dd12b4795da.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0438/9850/3336/files/co
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000080a2.bin5f5065fa45b2c273709f7cfbbbc09f677723e84b8d9de99e1bf4960fae6239d7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80A2 | 4984 bytes |
font_01_sfnt_off00009175.bin712135baa94bf22079dc79f2e0b12004b016235fb3d3d0e4f8e0b78f5f56d627 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9175 | 10436 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.