Malware Insights
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. Additionally, it exhibits a PDF link farm, with many links hosted on 'cdn.shopify.com' and other domains, suggesting an attempt to distribute malicious content or improve SEO for malicious sites. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document may be part of a multi-stage attack, where the user is instructed to open a password-protected archive, likely to bypass initial security scans. No scripts were extracted, but the presence of numerous embedded URLs and the redirector link strongly suggest a phishing or malware delivery attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=apple%20pencil%20pdf%20markup
- http://files.dchudphotography.com/uploads/1/3/1/4/131453194/0ff8849a37eda.pdf
- http://files.7thbattalion13thartillery.com/uploads/1/3/0/7/130738534/pukaxugu_wujubofo.pdf
- http://files.ifafrog.com/uploads/1/3/1/4/131409305/rakusedusimadira.pdf
- https://cdn.shopify.com/s/files/1/0432/4530/6011/files/lelikatesuxinizosex.pdf
- https://cdn.shopify.com/s/files/1/0440/2718/3269/files/municipal_wastewater_treatment_plant.pdf
- https://cdn.shopify.com/s/files/1/0429/2925/8649/files/tunuwakemubizonepakugako.pdf
- https://cdn.shopify.com/s/files/1/0431/0056/9753/files/86610228734.pdf
- https://cdn.shopify.com/s/files/1/0434/0485/3406/files/munegipazovuwi.pdf
- https://cdn.shopify.com/s/files/1/0431/3595/9191/files/32983599522.pdf
- https://cdn.shopify.com/s/files/1/0436/7558/2617/files/13583996356.pdf
- https://cdn.shopify.com/s/files/1/0428/4396/3548/files/17284949829.pdf
- https://cdn.shopify.com/s/files/1/0428/1057/2966/files/38055591134.pdf
- https://cdn.shopify.com/s/files/1/0430/8369/4247/files/el_breviario_de_alarico.pdf
- https://cdn.shopify.com/s/files/1/0429/5491/6006/files/12055295954.pdf
- https://cdn.shopify.com/s/files/1/0441/1251/1128/files/tcfexpress_online_banking.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/libidurekatomanazavevufi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006357.bin3a1c6c372bd02d1175bba2cd85a68993dd601af2043fbbbf3ac3b3665778ecce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6357 | 5176 bytes |
font_01_sfnt_off000074de.binfd10324fec7e83be70abd3caf6e70a1461273b5f9386e14353b2c6a3f8213799 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74DE | 10272 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.