MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a link farm and a malicious redirector, indicating an attempt to drive traffic to potentially harmful sites. The document body, though heavily obfuscated, suggests a lure related to a 'baby jogger manual'. The presence of numerous external PDF links, many hosted on WordPress, points towards a link-farming or SEO manipulation tactic to obscure the true malicious destination. The primary malicious URL identified is ttraff.com.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=baby%20jogger%20city%20mini%20gt%20travel%20system%20manual
- http://files.kakapocakes.com/uploads/1/3/0/8/130813307/017e8771.pdf
- http://files.theriversedgeranch.org/uploads/1/3/1/8/131871762/0f162.pdf
- http://files.adelaidechickensittingservice.com/uploads/1/3/1/8/131857071/wovakemeluwo-bokevanukapaku.pdf
- http://files.adelaidechickensittingservice.com/uploads/1/3/1/8/131857071/wovakemeluwo-bokevan
- https://miwezoju.files.wordpress.com/2020/07/1274301964.pdf
- https://nozikop.files.wordpress.com/2020/06/86718352053.pdf
- https://wojikife.files.wordpress.com/2020/07/11601562327.pdf
- https://rofatekarem.files.wordpress.com/2020/06/25077506787.pdf
- https://putasadasota541167068.files.wordpress.com/2020/07/37842927587.pdf
- https://sajovuvinar.files.wordpress.com/2020/07/6802782666.pdf
- https://zejezezo.files.wordpress.com/2020/06/pemakujoserinojeza.pdf
- https://texamepup.files.wordpress.com/2020/07/31693991041.pdf
- https://cdn.shopify.com/s/files/1/0428/7977/8979/files/kisufewoberixifiva.pdf
- https://cdn.shopify.com/s/files/1/0430/3595/1257/files/gekefupetezopulo.pdf
- https://cdn.shopify.com/s/files/1/0431/4795/2294/files/wibeli.pdf
- https://cdn.shopify.com/s/files/1/0431/6758/0322/files/roxetoliguvaji.pdf
- https://cdn.shopify.com/s/files/1/0439/7488/5534/files/lidumuwemaxejazikujoj.pdf
- https://cdn.shopify.com/s/files/1/0433/1539/6776/files/retalobewalodisominagetop.pdf
- https://cdn.shopify.com/s/files/1/0432/6745/7188/files/50015136174.pdf
- https://cdn.shopify.com/s/files/1/0431/5673/4109/files/53372494881.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005697.bin841bb53c04d4a02c0ec0566de782767c8dd5930aa96ac9f69dbc94274091a549 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5697 | 5428 bytes |
font_01_sfnt_off00006904.binb24f08bee3083f3c99975315a3328ae88cf96c47ac2126f6e656c332f0fa8174 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6904 | 8900 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.