MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link to a known malicious redirector, ttraff.cc, which is likely intended to deliver a payload. The document body and heuristics indicate a lure to click a download button, which is a common social engineering tactic. The presence of a large number of external PDF links suggests an attempt to manipulate search engine results or distribute content through a link farm.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=minecraft+pe+hunger+games
- http://files.nectrathletics.com/uploads/1/3/1/4/131455832/2461608.pdf
- http://files.designsbyoc.com/uploads/1/3/2/6/132696580/75a17d613ab6072.pdf
- http://files.johansoncomposition.com/uploads/1/3/0/8/130874043/8279423.pdf
- http://files.rmflmedan.com/uploads/1/3/2/7/132741110/nagalago.pdf
- https://cdn.shopify.com/s/files/1/0429/9204/2137/files/lofufoletorumadadi.pdf
- https://cdn.shopify.com/s/files/1/0434/9083/6632/files/53548741490.pdf
- https://cdn.shopify.com/s/files/1/0432/2839/7728/files/zowewawapopajuz.pdf
- https://cdn.shopify.com/s/files/1/0428/2292/6492/files/32443215841.pdf
- https://cdn.shopify.com/s/files/1/0427/8288/4006/files/81268585196.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xanixiki.pdf
- https://cdn.shopify.com/s/files/1/0429/4855/9004/files/81884806264.pdf
- https://cdn.shopify.com/s/files/1/0431/3815/4653/files/country_code_20.pdf
- https://cdn.shopify.com/s/files/1/0429/9731/7783/files/94270902839.pdf
- https://cdn.shopify.com/s/files/1/0434/7189/6736/files/angelus_en_latin.pdf
- https://cdn.shopify.com/s/files/1/0435/9526/8264/files/gisovidifu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b6b5.bin64addcfc9d4ee337a1ec3180596ec6c5b01f393c2ae105e38746f524fbe22a89 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB6B5 | 14252 bytes |
font_01_sfnt_off0000e475.binbb9d65b53b8fb6aa0fc51e517cabde0058370587472712414d7508091e1662ff |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE475 | 5400 bytes |
font_02_sfnt_off0000f6b8.bin538939db0cf5c770f50d0ace65038e77a7363dfe812728a497cbc9eacbab97a5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF6B8 | 16232 bytes |
font_03_sfnt_off00012955.bin52db30b66cfb76898988bc7c6ed152514c301740808ab95bec9c68e49df23550 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12955 | 16036 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.