MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. It also exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body text, though heavily corrupted, contains the phrase 'Toy defense 2 upgrade guide' and the malicious URL, suggesting a social engineering lure to trick the user into clicking the link. The heuristic 'SE_BROWSER_INSTALL_LURE' further supports the social engineering aspect, indicating the document likely prompts the user to install something.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=toy+defense+2+upgrade+guide
- http://files.hoggiesnetball.com.au/uploads/1/3/0/8/130874633/ad9f57d14d0.pdf
- http://files.slocampnpack.com/uploads/1/3/1/3/131398547/ca76e0.pdf
- http://gixod.cseventservices.com/uploads/1/3/1/8/131871796/gixazarus.pdf
- http://tixigun.janiceragoart.com/uploads/1/3/1/6/131606183/lunatolutapebitop.pdf
- https://cdn.shopify.com/s/files/1/0437/6661/2119/files/yeoman_of_the_guard_score.pdf
- https://cdn.shopify.com/s/files/1/0432/8361/1801/files/50059701188.pdf
- https://cdn.shopify.com/s/files/1/0433/3918/6344/files/amplificateur_operationnel_en_regime_lineaire.pdf
- https://cdn.shopify.com/s/files/1/0431/4457/7178/files/jijabizumozugowivozulo.pdf
- https://cdn.shopify.com/s/files/1/0430/9775/1709/files/21176399377.pdf
- https://cdn.shopify.com/s/files/1/0434/2287/5797/files/marketing_concepts_and_strategies_7th_edition_download.pdf
- https://cdn.shopify.com/s/files/1/0434/5187/5494/files/tubatorotabogideminobug.pdf
- https://cdn.shopify.com/s/files/1/0437/5920/6549/files/nugup.pdf
- https://cdn.shopify.com/s/files/1/0433/3325/5323/files/dovuligiri.pdf
- https://cdn.shopify.com/s/files/1/0428/1214/5823/files/6326069065.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008ee6.bine21d3dd52981d810928ccefeff0de963402f8540555f4f0751d008681f81bd77 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8EE6 | 5160 bytes |
font_01_sfnt_off0000a084.bin1423542d042a95086bdebd7987018578634adc2ee6f7fd921d3cf68a44072eea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA084 | 10616 bytes |
font_02_sfnt_off0000c4d3.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC4D3 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.