MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1566.002 Phishing: Spearphishing Attachment
The PDF contains a heuristic firing for a malicious redirector link and a link farm, indicating a social engineering attempt. The document body and heuristics suggest the user is prompted to install a browser extension or update to view content. The primary malicious URL identified is ttraff.ru, which likely serves as a redirector to further malicious content or phishing pages.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=how+to+annotate+pdfs+in+onenote
- http://files.chiropractic-now.com/uploads/1/3/1/8/131857758/naradeviw.pdf
- http://files.jennibearbeauty.com/uploads/1/3/2/3/132303118/405db551a.pdf
- http://files.archdaledrug.com/uploads/1/3/1/6/131606173/tapipifutazokilit.pdf
- http://files.immi-sa.com/uploads/1/3/0/8/130874284/jiwepu.pdf
- http://files.wyattearpexplorers.com/uploads/1/3/2/7/132740987/gizifewerula.pdf
- https://cdn.shopify.com/s/files/1/0434/1461/8277/files/73917022431.pdf
- https://cdn.shopify.com/s/files/1/0429/6382/8895/files/pipulodikabadif.pdf
- https://cdn.shopify.com/s/files/1/0432/4599/4146/files/kodowivumezone.pdf
- https://cdn.shopify.com/s/files/1/0429/8833/9361/files/sujajonado.pdf
- https://polulexugiz.files.wordpress.com/2020/06/10174057725.pdf
- https://gelavamot.files.wordpress.com/2020/07/fepinivuz.pdf
- https://wirebibejav.files.wordpress.com/2020/07/37483021045.pdf
- https://vupejesos.files.wordpress.com/2020/06/13644140812.pdf
- https://cdn.shopify.com/s/files/1/0431/4277/4938/files/93071069994.pdf
- https://cdn.shopify.com/s/files/1/0433/4357/7256/files/dixiwiv.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/davunaxejapezuxipuwuwozom.pdf
- https://cdn.shopify.com/s/files/1/0430/4610/9341/files/84828101215.pdf
- https://cdn.shopify.com/s/files/1/0432/5857/7046/files/64572977721.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/6733015585.pdf
- https://cdn.shopify.com/s/files/1/0430/5115/5609/files/ziboxuluturipimuf.pdf
- https://cdn.shopify.com/s/files/1/0432/0637/7632/files/69675908806.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007d22.bina4f544a3429a0cab370fab046828d0466e3ff2ae21db59194ec9c67260fbcfe8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D22 | 4748 bytes |
font_01_sfnt_off00008d64.bin0764edf50eec6f2d764e6d6a83a8e114ec00c7d2eb76f99d97c37f3cc96f2d68 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D64 | 9928 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.