Malware Insights
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=kaun+banega+crorepati+show+time'. This URL is associated with a lure related to the popular game show 'Kaun Banega Crorepati'. The document body, though heavily obfuscated, also contains this URL. Another critical heuristic indicates a PDF link farm, with the primary domain being cdn.shopify.com, suggesting an attempt to host or distribute multiple malicious PDFs. The overall pattern suggests a phishing or malware distribution campaign leveraging a popular cultural reference.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=kaun+banega+crorepati+show+time
- https://cdn.shopify.com/s/files/1/0427/7266/0390/files/hotel_sales_kit_template.pdf
- https://cdn.shopify.com/s/files/1/0432/8259/6004/files/buvivizopizom.pdf
- https://cdn.shopify.com/s/files/1/0432/1725/6603/files/70726007189.pdf
- https://cdn.shopify.com/s/files/1/0436/1922/1666/files/34721633773.pdf
- https://cdn.shopify.com/s/files/1/0440/7079/7462/files/35707120107.pdf
- https://cdn.shopify.com/s/files/1/0437/4737/7301/files/pegojirabagoralaxalo.pdf
- https://cdn.shopify.com/s/files/1/0435/7039/7352/files/xulibib.pdf
- https://cdn.shopify.com/s/files/1/0462/7087/3762/files/benubiwom.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/32686583269.pdf
- https://cdn.shopify.com/s/files/1/0433/9728/3992/files/simple_perfect_tense_exercise.pdf
- https://static.usrfiles.com/ugd/b0b521_95f3f149a57246df9821fed95f9fcd67.pdf
- https://static.usrfiles.com/ugd/b8c837_33831c1fddeb48aea40e27317376388d.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e121.bin8c4c675db9ef1d5c6e338da76b04af858834d2af74a769844190f41beee4736f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE121 | 5516 bytes |
font_01_sfnt_off0000f390.bin86bfda9e6bcb00bde6f40129cd6c8496843f972debb3f1dbcab29541ff127744 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF390 | 6172 bytes |
font_02_sfnt_off0001027e.bin43f967fe65a0141bc920792ec4beb19a8493885e039a283582933d86498443c8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1027E | 11648 bytes |
font_03_sfnt_off000128e9.bin6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x128E9 | 16164 bytes |
font_04_sfnt_off00013e3a.bin5dd1da04de31bf9f16ac079f2e2981318d4ab0f89b733d1319119bce23d22813 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13E3A | 7424 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.