MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a malicious redirector link pointing to 'ttraff.ru', which is designed to lure users into downloading further content. The document also includes instructions that suggest the execution of Windows scripting tools, indicating a potential for further malicious activity. The presence of a password protection lure suggests an attempt to bypass security controls.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=aiff+d+license+log+book+pdf+download
- http://files.victorpearlman.com/uploads/1/3/1/6/131637224/9692547.pdf
- http://files.murraydopking.com/uploads/1/3/2/7/132741334/furoli_sazusorolesi_zefaba_pexulupagejog.pdf
- http://files.woodpalooza.com/uploads/1/3/0/9/130969459/fijori-rewomibigonog.pdf
- http://files.firefallseffects.com/uploads/1/3/1/4/131453199/maruroruluki.pdf
- https://cdn.shopify.com/s/files/1/0430/8113/8343/files/14910298232.pdf
- https://cdn.shopify.com/s/files/1/0432/9085/3531/files/94683865637.pdf
- https://cdn.shopify.com/s/files/1/0440/5005/5318/files/7273822408.pdf
- https://cdn.shopify.com/s/files/1/0432/1561/8203/files/54791427272.pdf
- https://cdn.shopify.com/s/files/1/0437/2722/4986/files/45880306034.pdf
- https://cdn.shopify.com/s/files/1/0437/2270/2999/files/nevemi.pdf
- https://cdn.shopify.com/s/files/1/0440/1351/9006/files/powershell_set_environment_variable.pdf
- https://cdn.shopify.com/s/files/1/0433/9925/0072/files/lezeponuvab.pdf
- https://cdn.shopify.com/s/files/1/0430/5174/5442/files/tifekasogujozisugobofa.pdf
- https://cdn.shopify.com/s/files/1/0432/3259/2040/files/10226949679.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00017c4b.binb690680ad82e3669fe8bf4f4c7acff9172746be60475d3cfddd405921656c80b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17C4B | 5512 bytes |
font_01_sfnt_off00018f38.binb8c012909186fde0951e1a3f22d46ff431663008ee93e45069290cbbdc255b00 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18F38 | 10552 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.