MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a lure for a 'Chipotle reward code' and embeds numerous links, including a critical redirector link to 'ttraff.me'. The heuristics indicate the document is a malicious redirector and a link farm, designed to trick users into clicking external links. Additionally, it employs social engineering lures for browser extension installation and callback phishing, suggesting a multi-stage attack. The primary intent appears to be directing users to malicious infrastructure for further exploitation.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=chipotle+reward+code
- https://9ffb31c1-682a-48f
- https://cdn.shopify.com/s/files/1/0481/9671/4650/files/kobefofosotalibasug.pdf
- https://cdn.shopify.com/s/files/1/0449/7879/8750/files/worajadakizaforabanavom.pdf
- https://cdn.shopify.com/s/files/1/0430/3365/7507/files/fofowegotajajukikom.pdf
- https://cdn.shopify.com/s/files/1/0482/2129/0650/files/die_hard_battery_charger_manual.pdf
- https://cdn.shopify.com/s/files/1/0433/9928/2845/files/dymo_labelwriter_450_troubleshooting.pdf
- https://e07e21cc-a202-4e4c-9020-f7b3c513dee8.filesusr.com/ugd/97634b_3a00c2ceb4f945a0bf6989ec7aa25b73.pdf?index=true
- https://9ffb31c1-682a-48f5-b51b-c57ab2078561.filesusr.com/ugd/ad2ade_4d8cad1bbee149aabb611e34ef1fe613.pdf?index=true
- https://cdn.shopify.com/s/files/1/0438/8893/5067/files/nejuxogelegagi.pdf
- https://cdn.shopify.com/s/files/1/0430/0505/1029/files/pranayama_breathing_exercises.pdf
- https://cdn.shopify.com/s/files/1/0431/1869/0458/files/39992258132.pdf
- https://cdn.shopify.com/s/files/1/0434/1668/2663/files/84526288535.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006466.binfa128ca09d39a72d83054e34350d24d94f772739d266a8dd41195b0c01d299ee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6466 | 4780 bytes |
font_01_sfnt_off000074c7.binaef7677fd04982c352e3f4df147f2503608b04b4e90b67e7d1ef2945f3148581 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74C7 | 10724 bytes |
font_02_sfnt_off00009920.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9920 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.