MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a prominent link disguised as a download for a 'Dragon City hack'. This link redirects to a malicious URL, ttraff.me, which is flagged as a malicious redirector. The document also contains a mass external PDF link farm, suggesting SEO manipulation to distribute malicious content. The presence of a call-to-action button further supports the lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=dragon+city+hack+no+verification+2019
- https://cdn.shopify.com/s/files/1/0434/5567/6580/files/algebra_2_factoring_practice.pdf
- https://cdn.shopify.com/s/files/1/0436/5923/1385/files/interpretacion_de_una_biometria_hematica_completa.pdf
- https://cdn.shopify.com/s/files/1/0438/3821/0205/files/59013704559.pdf
- https://cdn.shopify.com/s/files/1/0436/1289/7437/files/56976951676.pdf
- https://cdn.shopify.com/s/files/1/0428/2561/3475/files/6751730088.pdf
- https://ce18681b-4031-42bd-a179-23f7936fa26b.filesusr.com/ugd/a2e20a_e9134a69e4ce4b31aa87de216d5a0d82.pdf?index=true
- https://147ff782-7f5a-4abb-85b6-35aa2f55bb35.filesusr.com/ugd/e3325f_7d7f41eea3394cc6a8e5a95339f68b99.pdf?index=true
- https://2d5cf612-a128-45ca-98d6-e861e494feeb.filesusr.com/ugd/07625c_3981cc08973b470598f1da125ede47d0.pdf?index=true
- https://69e9ff12-7d74-4d7f-832f-1f6596d9dc39.filesusr.com/ugd/9b7d8a_73d09e31aaab44449c099df9dea7b990.pdf?index=true
- https://565793dc-c117-40f0-8f5c-a5e91a85b914.filesusr.com/ugd/3ed44c_81069911e00a4d53a59cac21b01020c4.pdf?index=true
- https://7a3c0555-3819-49da-96c3-c57041bf3cf0.filesusr.com/ugd/5360f8_df36057c0bb6448a9a706eb2351e9532.pdf?index=true
- https://ae75c2d8-08bc-4879-91f6-3281ae357051.filesusr.com/ugd/5e81b9_0a2a56a310864c8e9ea0970c728e7e6f.pdf?index=true
- https://7e2c32b1-ba40-4ffe-bdfe-81af0500dc8e.filesusr.com/ugd/d38238_de57f6c28a2a4fe581f9a6144a7194b7.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007860.bin872adcc56e08656f8e96e951fd4ab17d86de352bd30309f9ad032f8640da378a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7860 | 5640 bytes |
font_01_sfnt_off00008ba5.bind13b1e4a8bf8c3ce5ed9e86756bcfe0d7e9578863a7bdc193808abb4e1cba6d8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8BA5 | 2336 bytes |
font_02_sfnt_off00009618.binc516f40505cee6a4df533efe485b2a1a078dc0c5e91e9b9660aeeb66eaa5af32 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9618 | 11352 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.