MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link and a link farm, indicating a social engineering attempt. The document body, though partially corrupted, contains URLs that are part of this link farm. The primary malicious URL identified is https://ttraff.ru/wix?keyword=foxit+phantompdf+portable+full, which is likely used to redirect the user to a malicious site. The presence of a browser extension installation lure further supports the social engineering attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=foxit+phantompdf+portable+full
- https://cdn.shopify.com/s/files/1/0434/5469/3537/files/wigejabiduboxer.pdf
- https://cdn.shopify.com/s/files/1/0433/4488/7966/files/8601533020.pdf
- https://cdn.shopify.com/s/files/1/0428/6958/8124/files/40951413756.pdf
- https://cdn.shopify.com/s/files/1/0428/0372/4455/files/gekitiwalemizukewoveni.pdf
- https://static.usrfiles.com/ugd/b8c837_f03054af6d0643b48543cb0a14d3a541.pdf
- https://static.usrfiles.com/ugd/b8c837_9151738f30464518a1a30bcad4501425.pdf
- https://static.usrfiles.com/ugd/a01749_6a191d0d6aba49e8a8d360eae51a24d6.pdf
- https://static.usrfiles.com/ugd/b8c837_6694744333924d179f20ebd4164a7612.pdf
- https://static.usrfiles.com/ugd/b8c837_2bc0d304f2534ce2b8950baf88f97989.pdf
- https://static.usrfiles.com/ugd/3826db_94d05797f5394b37a2a190b6cda81243.pdf
- https://static.usrfiles.com/ugd/238140_529a6bdeeb1d46b397f2e8da327de3f1.pdf
- https://static.usrfiles.com/ugd/b8c837_0abb086997794cdb867f6fd60c66575f.pdf
- https://static.usrfiles.com/ugd/b8c837_c1584a88629b41319ec3c2f91c7583ef.pdf
- https://static.usrfiles.com/ugd/b8c837_9b943771cd09414485b7e159079aa3aa.pdf
- https://static.usrfiles.com/ugd/ea9bdf_a6a85239ebf34cfcae010899fd201635.pdf
- https://static.usrfiles.com/ugd/ca9b0a_08fc55d797cb42cea6254e80124489fc.pdf
- https://static.usrfiles.com/ugd/5fd5c1_c74260ce66ff477988848009045095b0.pdf
- https://static.usrfiles.com/ugd/b8c837_c5457d31b2ec4059a31b98aa8781f0d3.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/b8c837_6694744333924d179f20e
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f94.bin91efb57e007a19fc70b977c18c17c19aff9ae0c58828ecd7cda363614386e7e9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F94 | 5268 bytes |
font_01_sfnt_off0000814e.bin6bee47e8ac0549dc0285e03d508fc70dcbb4d70d3ab1b227139901a359076199 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x814E | 10732 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.