MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a malicious redirector link pointing to 'ttraff.com', which is a critical finding. Additionally, it features a large number of external PDF links, many hosted on Shopify, suggesting a link farm for SEO manipulation or traffic redirection. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wb?keyword=plumbing%20system%20in%20building%20pdf', reinforcing the malicious redirector. The heuristic 'SE_REMOTE_SUPPORT_LURE' indicates the document may also attempt to trick users into installing remote support tools, though no specific script was found to confirm this.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=plumbing%20system%20in%20building%20pdf
- http://files.usasportsassociation.com/uploads/1/3/0/8/130874326/2661878.pdf
- http://files.slra.org/uploads/1/3/1/4/131454316/db2bd1a5b5f4a.pdf
- http://dijere.berclairbaptist.org/uploads/1/3/0/8/130874493/5318722.pdf
- http://dedodivu.fortschrittskolleg-replir.de/uploads/1/3/1/0/131069839/caead1653d1.pdf
- https://cdn.shopify.com/s/files/1/0429/8545/5769/files/flawless_widescreen_kotor.pdf
- https://cdn.shopify.com/s/files/1/0435/6086/1845/files/gitot.pdf
- https://cdn.shopify.com/s/files/1/0431/3127/3365/files/gamizujilipe.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54101174921.pdf
- https://cdn.shopify.com/s/files/1/0435/3412/3160/files/71406050512.pdf
- https://cdn.shopify.com/s/files/1/0427/8275/2935/files/3608425455.pdf
- https://cdn.shopify.com/s/files/1/0429/9387/7145/files/basic_mathematical_formulas_free_download.pdf
- https://cdn.shopify.com/s/files/1/0431/8976/4245/files/argumentative_and_persuasive_essay_examples.pdf
- https://cdn.shopify.com/s/files/1/0434/3152/6561/files/delete_watermark_online.pdf
- https://cdn.shopify.com/s/files/1/0429/8774/9529/files/nopotimitejozuremu.pdf
- https://cdn.shopify.com/s/files/1/0429/2152/5407/files/armitron_pro_sport_watch_manual.pdf
- https://cdn.shopify.com/s/files/1/0430/4571/6129/files/41516485520.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007bc9.bin257c2218b61af81882b40653329e4aceb22d6761078900441165791e2ed6fe33 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7BC9 | 5296 bytes |
font_01_sfnt_off00008dc0.binde4ed7d522fb57f4e420939927626cae7e6deab977e0e7427b4c02bbba2f60b6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8DC0 | 9760 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.