MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, which points to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to 'Winrar' and includes the same malicious URL. The presence of a 'Password-protected archive handoff' heuristic suggests the intent is to trick the user into downloading an encrypted payload, likely after clicking the malicious link. The PDF also contains a link farm, indicating a potential SEO poisoning or traffic generation scheme.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=winrar+5.+50+64+bit+free
- https://static.usrfiles.com/ugd/b8c837_b469bbfbb92b47b990690137d1cb885f.pdf
- https://static.usrfiles.com/ugd/b8c837_1c88fd91eb284196bf4a88e69f2587c6.pdf
- https://static.usrfiles.com/ugd/34e21e_a573931821dd4c98a751f77d5967b362.pdf
- https://static.usrfiles.com/ugd/9b33c5_5e18b705a82d426c94080cfd4ae09a1e.pdf
- https://static.usrfiles.com/ugd/bfbc46_b4003e78363f4053bffe3e2f80e907c7.pdf
- https://cdn.shopify.com/s/files/1/0438/9814/2875/files/flex_tape_copypasta.pdf
- https://cdn.shopify.com/s/files/1/0431/2036/1629/files/37265754573.pdf
- https://cdn.shopify.com/s/files/1/0450/7946/2040/files/associer_deux_page.pdf
- https://cdn.shopify.com/s/files/1/0433/4161/1159/files/fish_eating_bird_crossword_answer.pdf
- https://cdn.shopify.com/s/files/1/0438/8116/9051/files/fodugipomepeze.pdf
- https://cdn.shopify.com/s/files/1/0431/1760/9122/files/nisuvesasod.pdf
- https://cdn.shopify.com/s/files/1/0437/6874/2039/files/dafuxofunokox.pdf
- https://cdn.shopify.com/s/files/1/0430/9306/5877/files/16097084982.pdf
- https://cdn.shopify.com/s/files/1/0434/8408/6424/files/acr_neo_3f_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/5533/3027/files/puvafukomifixebogifaf.pdf
- https://cdn.shopify.com/s/files/1/0431/5214/6586/files/37901969381.pdf
- https://cdn.shopify.com/s/files/1/0428/7430/6727/files/ccna_200_301_download.pdf
- https://cdn.shopify.com/s/files/1/0434/0832/6813/files/pogapiw.pdf
- https://cdn.shopify.com/s/files/1/0432/2269/6096/files/judogubadidijosiwez.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006123.bin56686c153a6a3dbef227cffb50655c259d59938f8f4116add3654f8b4c9dc349 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6123 | 5244 bytes |
font_01_sfnt_off00007321.bin3d0b358e9e77df7cec5c62152ca4af17222e4e88b8711280f19cc15bde637580 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7321 | 10472 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.