MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file was identified as malicious due to its extensive use of external links, characteristic of a link farm or SEO manipulation tactic. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure, specifically 'https://ttraff.link/pify?keyword=one+piece+brook+song+violin+sheet'. The document body, though heavily obfuscated, also contains this URL, suggesting it's a primary lure. The presence of numerous other PDF links, many hosted on 'static.usrfiles.com', further supports the link farm hypothesis.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/pify?keyword=one+piece+brook+song+violin+sheet
- https://static.usrfiles.com/ugd/17beed_eb2659c1de544a92b6e5ed69cadfef97.pdf
- https://static.usrfiles.com/ugd/440e29_6cf6cee7e24c4e00a611cdbc063c6e32.pdf
- https://static.usrfiles.com/ugd/409ca8_80a441a66ba54b29ae01c63eddcb9d9f.pdf
- https://static.usrfiles.com/ugd/e98895_f451bbff46404a218ce176714f322f0f.pdf
- https://static.usrfiles.com/ugd/7ff653_639c19c5580b4c3eb1cbd6f2d6618ab6.pdf
- https://static.usrfiles.com/ugd/2ac701_5c409c4144b14b289ff1071ec9eb6ec3.pdf
- https://static.usrfiles.com/ugd/9df9d6_34ed86f2233842338a7f245a3f439748.pdf
- https://cdn.shopify.com/s/files/1/0432/8721/6293/files/the_hobbit_audiobook_free.pdf
- https://cdn.shopify.com/s/files/1/0433/6402/4479/files/suzozitusinuwozoluwe.pdf
- https://static.usrfiles.com/ugd/eddc50_dcf544f7ca67453ba1644b63094f6e97.pdf
- https://static.usrfiles.com/ugd/db93e9_474085fd2ecc4528806548647c734d42.pdf
- https://static.usrfiles.com/ugd/2ca09c_a2c7d01033fe449aa6f5d4f3d63a9f72.pdf
- https://static.usrfiles.com/ugd/2994dd_10a79e577f33412496f912a4fe9f0426.pdf
- https://static.usrfiles.com/ugd/2c608b_34ec3f0abf2742a288af1c5a16de0bbe.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000043e2.bin448701b4cc4e813f640415b12b032cfbf311929b6df5ede52089fd0680840255 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x43E2 | 3908 bytes |
font_01_sfnt_off000051a8.binfce7bcc608bf720501462b74a3cda6338dac7e16424dbdafcaeb3e0002de4935 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x51A8 | 5276 bytes |
font_02_sfnt_off0000639c.bin3211d49fd3b04f935eb983a0f01a4dc67fff67b5d8e4187f3fcb7ba76d5ac4af |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x639C | 9684 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.