MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link farm and a malicious redirector, indicating a social engineering lure. The document body, though heavily obfuscated, contains the URL https://ttraff.cc/pify?keyword=how+to+make+chainmail+armor+minecraft, which is a known malicious redirector. The heuristic 'SE_CLICKFIX' suggests the document is designed to trick users into executing commands, further supporting a social engineering attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=how+to+make+chainmail+armor+minecraft
- http://files.arjunatransportationllc.com/uploads/1/3/0/8/130814581/saras_kexados.pdf
- http://files.presbyteryoflothian.org.uk/uploads/1/3/1/0/131069869/wunilusobutowu.pdf
- http://files.byersbuilders.com/uploads/1/3/0/8/130873715/bb561.pdf
- http://files.chuckpotterart.net/uploads/1/3/1/6/131607440/rijunutusubupun-mutijo-ziduxus-nukabuled.pdf
- http://files.gardentherapybliss.ca/uploads/1/3/2/6/132695278/8543c.pdf
- https://cdn.shopify.com/s/files/1/0439/2583/1835/files/famete.pdf
- https://cdn.shopify.com/s/files/1/0435/1016/9759/files/gomafer.pdf
- https://cdn.shopify.com/s/files/1/0435/6728/4387/files/25000664300.pdf
- https://cdn.shopify.com/s/files/1/0431/3448/4648/files/40977509520.pdf
- https://cdn.shopify.com/s/files/1/0431/6626/9597/files/14325302339.pdf
- https://cdn.shopify.com/s/files/1/0435/5493/0839/files/12643029355.pdf
- https://cdn.shopify.com/s/files/1/0438/6082/0133/files/74953434450.pdf
- https://cdn.shopify.com/s/files/1/0433/1202/1662/files/rovevinusufelukefutotep.pdf
- https://cdn.shopify.com/s/files/1/0428/1093/3414/files/40099098853.pdf
- https://cdn.shopify.com/s/files/1/0429/5655/4394/files/15859913825.pdf
- https://cdn.shopify.com/s/files/1/0432/1322/6139/files/76339198752.pdf
- https://cdn.shopify.com/s/files/1/0432/8102/3132/files/tisabepo.pdf
- https://cdn.shopify.com/s/files/1/0431/5247/4280/files/49727959848.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000072d3.bine6d0e560fe50b5b2f43e606ca0f0b1913d5cc034a4e00989ed074897cb586e0a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72D3 | 4848 bytes |
font_01_sfnt_off00008328.bin35629fb96be0d0d3e312d42ae89f56a386c67415712f704cd7ecb6ca22577202 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8328 | 10156 bytes |
font_02_sfnt_off0000a5d6.bin9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA5D6 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.