MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link that redirects to a known malicious domain, disguised with a lure related to a sports figure. The PDF also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO poisoning tactic. The primary malicious URL identified is https://ttraff.com/pify?keyword=lebron+james+jr+espn+scouting+report, which is likely used to redirect the user to a further malicious destination.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=lebron+james+jr+espn+scouting+report
- http://taxetoloj.hidalgobraccoitalianos.com/uploads/1/3/2/8/132814930/a3f49b2d0e.pdf
- http://tejur.sghock.com/uploads/1/3/2/3/132302868/3436268.pdf
- http://files.awordandcompany.com/uploads/1/3/0/8/130814788/2594692.pdf
- https://cdn.shopify.com/s/files/1/0438/5452/8677/files/gukekitajosokitiponazet.pdf
- https://cdn.shopify.com/s/files/1/0436/0978/4482/files/xapemurozo.pdf
- https://cdn.shopify.com/s/files/1/0432/6762/1028/files/assassination_rogue_hidden_artifact_guide.pdf
- https://cdn.shopify.com/s/files/1/0432/5936/3478/files/ligavozafajibuwa.pdf
- https://cdn.shopify.com/s/files/1/0434/2192/5525/files/gimezopubigidujatadolabi.pdf
- https://cdn.shopify.com/s/files/1/0433/4908/2264/files/37820973595.pdf
- https://cdn.shopify.com/s/files/1/0438/9008/1960/files/kevano.pdf
- https://cdn.shopify.com/s/files/1/0432/5317/0334/files/af_soomaali_fasalka_2aad.pdf
- https://cdn.shopify.com/s/files/1/0431/1888/7073/files/16187359638.pdf
- https://cdn.shopify.com/s/files/1/0427/6980/9575/files/warotefoneros.pdf
- https://cdn.shopify.com/s/files/1/0437/9394/0641/files/fimurasazevatuduretuz.pdf
- https://cdn.shopify.com/s/files/1/0427/9717/0847/files/44384454557.pdf
- https://cdn.shopify.com/s/files/1/0434/9617/7816/files/ecoutez_bien_2_answers.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007d9e.binfbd41a58c80e6f2a80e8e059a1f3e50a08d354690e1fff2dc752442c275b08af |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D9E | 5260 bytes |
font_01_sfnt_off00008f5d.bin45145380e7cdaea0ecac9fefab322bf843512afc982cfb06b0cff282a1e3be17 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F5D | 2640 bytes |
font_02_sfnt_off00009af1.binf8235a845cfb134f2a549cfdbe24a90683e0c4757c08fe6695e15316050b9993 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9AF1 | 10408 bytes |
font_03_sfnt_off0000be95.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBE95 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.