MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. The document body, though heavily obfuscated, contains the same URL and appears to be a lure for exam preparation materials. The PDF also exhibits characteristics of a link farm, with numerous external links, many hosted on cdn.shopify.com. The primary malicious IOC is the ttraff.com redirector, which likely serves as a gateway to further malicious content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=quantitative+aptitude+questions+with+answers+for+bank+clerk+exams+pdf
- http://files.edhgs.com/uploads/1/3/1/4/131408529/lujaremokike_nezuki_derunelizaxeti_kelabij.pdf
- http://files.crescentmortgagecompany.com/uploads/1/3/0/7/130739204/sesafutajajalivewok.pdf
- http://files.rosenortfellowship.ca/uploads/1/3/0/7/130740292/1424173.pdf
- https://cdn.shopify.com/s/files/1/0438/8149/6744/files/43899648186.pdf
- https://cdn.shopify.com/s/files/1/0430/6118/2617/files/gitignore_for_unity.pdf
- https://cdn.shopify.com/s/files/1/0427/7056/3239/files/bamugifimijo.pdf
- https://cdn.shopify.com/s/files/1/0431/0453/4692/files/19354706581.pdf
- https://cdn.shopify.com/s/files/1/0429/1336/6182/files/65319828909.pdf
- https://cdn.shopify.com/s/files/1/0429/9948/0473/files/buzemu.pdf
- https://cdn.shopify.com/s/files/1/0433/9780/8285/files/refefabi.pdf
- https://cdn.shopify.com/s/files/1/0437/0061/7381/files/43893312676.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xizujebekox.pdf
- https://cdn.shopify.com/s/files/1/0430/7009/5521/files/vaxatiwojupuwose.pdf
- https://cdn.shopify.com/s/files/1/0438/0000/2717/files/kukew.pdf
- https://cdn.shopify.com/s/files/1/0436/4215/9257/files/71078658752.pdf
- https://cdn.shopify.com/s/files/1/0434/2638/1975/files/vusifoxowozefoxegir.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000694f.binbafc27d27e8b7c8be6484ce57d738d383ea1c9d240d72bf1e737e3335408df7c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x694F | 6008 bytes |
font_01_sfnt_off00007daf.bin9f84ec65fa7f52f2849e1ecd1d1d6997946ff08750e8e2a32b195f0d0bec1285 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7DAF | 10532 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.