MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.link/wix?keyword=circle+geometry+word+problems+worksheets'. This URL is presented within the document body, disguised as educational material. The file also contains a PDF link farm heuristic, indicating a large number of outbound links, many of which are to benign-looking files on cloud storage. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a malicious site.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=circle+geometry+word+problems+worksheets
- https://ebb9a8d8-e4cc-4f8d-85aa-c8d3946e814b.filesusr.com/ugd/735424_d477104f097344959dc75d77826530e5.pdf?index=true
- https://6d450e52-f1ba-4a8d-bf88-8d310127289d.filesusr.com/ugd/fbccce_2b1309a197f14dc3968433aff5f9983b.pdf?index=true
- https://a3573fdf-f255-4cdd-8fee-73d83b1df716.filesusr.com/ugd/c83fdb_60a6c4bdf18443168d886041f56d04d3.pdf?index=true
- https://4b9ccea8-d2f4-444a-8dea-a25e97608c5d.filesusr.com/ugd/bb05c1_ffa22b07db964c6aa15affd0b64db365.pdf?index=true
- https://e3ee72df-1642-466f-84a7-60fdaf2d1d7e.filesusr.com/ugd/49f5ef_cc6a32eee75145e193c31ccea257b4b2.pdf?index=true
- https://cdn.shopify.com/s/files/1/0427/6633/6167/files/red_orb_pixelmon.pdf
- https://cdn.shopify.com/s/files/1/0432/6224/7067/files/81_buick_regal.pdf
- https://cdn.shopify.com/s/files/1/0437/7929/3338/files/xizusetiboredimakumunek.pdf
- https://cdn.shopify.com/s/files/1/0428/5435/1015/files/boiler_efficiency_calculation_example.pdf
- https://cdn.shopify.com/s/files/1/0434/6360/6438/files/53669500276.pdf
- https://cdn.shopify.com/s/files/1/0435/2737/2964/files/lofadodomula.pdf
- https://cdn.shopify.com/s/files/1/0433/4583/8232/files/74483325276.pdf
- https://cdn.shopify.com/s/files/1/0431/4356/1384/files/lujofi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005b7c.bin85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B7C | 2828 bytes |
font_01_sfnt_off00006576.bin117f56985bb65938bfffc0e57d61da6ffca98d101b9f845318648142e36876dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6576 | 5380 bytes |
font_02_sfnt_off000077cc.bind7193c75577df59d7e27858b255d042484644980475ce0bda52eb2b408d97a21 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x77CC | 9760 bytes |
font_03_sfnt_off00009923.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9923 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.