MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains a lure related to a 'vehicle bill of sale template' and includes numerous links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic indicates that a link within the PDF redirects to known malicious infrastructure at 'ttraff.com'. This suggests the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=vehicle+bill+of+sale+template+fillable+pdf+free
- http://files.bevgilliard.com/uploads/1/3/0/8/130873921/xozemekawu.pdf
- http://nesaxupi.greyfriarstutorials.org/uploads/1/3/0/8/130874038/a7f93da96d.pdf
- http://nixutuwu.keithnewvine.org/uploads/1/3/0/7/130739553/migibakumaxor-rufabewujutaf-lurew-gaveref.pdf
- http://vimileb.huxtersnookercoaching.co.uk/uploads/1/3/1/3/131398367/484717.pdf
- https://cdn.shopify.com/s/files/1/0431/7511/6964/files/85143647869.pdf
- https://cdn.shopify.com/s/files/1/0432/0627/9332/files/72658498746.pdf
- https://cdn.shopify.com/s/files/1/0437/1962/2808/files/lufurow.pdf
- https://cdn.shopify.com/s/files/1/0432/8377/5643/files/govujalutotozupokasox.pdf
- https://cdn.shopify.com/s/files/1/0431/2222/9397/files/bawekezipi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60527157158.pdf
- https://cdn.shopify.com/s/files/1/0435/4703/3752/files/gexisuxam.pdf
- https://cdn.shopify.com/s/files/1/0431/6689/2191/files/rizuzefizewenozomokitefe.pdf
- https://cdn.shopify.com/s/files/1/0430/1147/3571/files/bhagavad_gita_meaning_in_telugu.pdf
- https://cdn.shopify.com/s/files/1/0430/9372/1255/files/jiketijo.pdf
- https://cdn.shopify.com/s/files/1/0436/0303/4276/files/givakozukegowulepewe.pdf
- https://cdn.shopify.com/s/files/1/0432/0195/3952/files/60649614678.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006d3c.bin0cbd82763bf08a84b00ffcf9725f75da12123411be3cba69387f6947649d513b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D3C | 5184 bytes |
font_01_sfnt_off00007ecf.bin88c26328ef49d2288e9fef8d16e95a18eb717682ed95556e6ef2a5837608176f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7ECF | 10272 bytes |
font_02_sfnt_off0000a1e0.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA1E0 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.