MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of a 'download button' lure and instructions for a password-protected archive further indicate a malicious workflow designed to trick the user into downloading a payload. The PDF also hosts a link farm, potentially for SEO poisoning to increase visibility.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=dls+2020+mod+apk+timnas+indonesia
- http://gawute.statementsbyshannon.com/uploads/1/3/2/8/132814930/fizunikopijogemaf.pdf
- http://nijutoz.muskmeloncreative.com/uploads/1/3/1/8/131871921/c6bc160a951df7.pdf
- https://cdn.shopify.com/s/files/1/0431/7950/7875/files/multivariable_calculus_linear_algebra_and_differential_equations.pdf
- https://cdn.shopify.com/s/files/1/0429/0691/0876/files/54578494051.pdf
- https://cdn.shopify.com/s/files/1/0431/6551/5933/files/gizaduxezokugowuxomikar.pdf
- https://cdn.shopify.com/s/files/1/0430/1085/0979/files/sotavudi.pdf
- https://cdn.shopify.com/s/files/1/0430/5689/0013/files/72288822280.pdf
- https://cdn.shopify.com/s/files/1/0432/6467/1909/files/16617435323.pdf
- https://cdn.shopify.com/s/files/1/0433/6451/6005/files/bawuridefile.pdf
- https://cdn.shopify.com/s/files/1/0433/6500/7509/files/tosadegiwotetosi.pdf
- https://cdn.shopify.com/s/files/1/0435/9972/4702/files/59531580798.pdf
- https://cdn.shopify.com/s/files/1/0434/6737/4758/files/69609509288.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0433/6500/7509
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000083b9.bin608ba27a41d8fda0a427b6f17027ad52ffe6e539c3b9039a9b35751f88bfdda9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x83B9 | 5344 bytes |
font_01_sfnt_off000095d9.binf9b6467fb8931c1abc2b4f294850cc5e12a3a095fe5893941d73413a170b62fa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x95D9 | 10296 bytes |
font_02_sfnt_off0000b94b.bind5f7b879d4bd44d790d5ed5022df8582a6ea4dc33f751ea53f552bcb32ed4bc4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB94B | 16208 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.