MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a mass of external links, many of which point to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.cc). The document body, though heavily obfuscated, contains references to the malicious URL and appears to be a lure for a 'Twitter banner template photoshop'. The presence of a visual download button heuristic further supports a social engineering attack. The primary attack vector is likely a malicious redirector link embedded within the PDF.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=twitter+banner+template+photoshop
- http://mozoxeg.team-change.com/uploads/1/3/1/4/131412290/modegavimurufiruwun.pdf
- http://files.creatingtolove.com/uploads/1/3/1/3/131383727/9ed88df.pdf
- https://cdn.shopify.com/s/files/1/0433/5727/4270/files/dafarijamikowoboja.pdf
- https://cdn.shopify.com/s/files/1/0437/4737/7301/files/chaconne_bach_violin.pdf
- https://cdn.shopify.com/s/files/1/0433/3699/0885/files/fusodukibufoveziga.pdf
- https://cdn.shopify.com/s/files/1/0433/1631/4277/files/fefilore.pdf
- https://cdn.shopify.com/s/files/1/0431/8678/2369/files/eloge_de_l_amour_alain_badiou.pdf
- https://cdn.shopify.com/s/files/1/0434/4217/6150/files/kibikegamokolajezise.pdf
- https://cdn.shopify.com/s/files/1/0439/1380/5992/files/nitro_to_word_converter_software_free_download_full_version.pdf
- https://cdn.shopify.com/s/files/1/0434/6406/5174/files/91901679720.pdf
- https://cdn.shopify.com/s/files/1/0433/7513/2824/files/96745258286.pdf
- https://cdn.shopify.com/s/files/1/0438/0576/9889/files/44835956532.pdf
- https://cdn.shopify.com/s/files/1/0434/5036/8152/files/zikukamijurafivama.pdf
- https://cdn.shopify.com/s/files/1/0434/3057/6295/files/phoenix_arms_hp22_problems.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/50537202024.pdf
- https://cdn.shopify.com/s/files/1/0432/7201/1941/files/kigozuvemoxabafa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000999e.bin841792c22e3b0763775c46119458fb63aa8c50c5741d79daab162e194ad8e0ec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x999E | 5240 bytes |
font_01_sfnt_off0000ab43.binc90674db12bb319716c1699487b2e48a6df076e881671459375137276c58dff7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAB43 | 10540 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.