MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.me'. Additionally, it exhibits a PDF link farm heuristic, indicating a large number of embedded URLs. The document body, though heavily obfuscated, contains the string 'Avast business console' and the malicious URL 'https://ttraff.me/wix?keyword=avast+business+console', suggesting a lure related to security software. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document instructs the user to copy/paste content into a command-line interface, likely to execute a downloaded payload.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=avast+business+console
- http://files.linmog.co.uk/uploads/1/3/0/8/130814007/bofonukokipeg_tapobazulonini_subexu_gozadobux.pdf
- http://paxek.ljhfoc.com/uploads/1/3/1/6/131606255/8749449.pdf
- http://wuwabala.johnmorrispiano.com/uploads/1/3/0/7/130775411/2e7d30aa8012.pdf
- http://boxazu.moranenterprises.com/uploads/1/3/0/8/130873995/nafarenedavas.pdf
- http://giwakub.sarahhime.ca/uploads/1/3/2/8/132814974/kikagebowisoxi.pdf
- https://20bd43c9-f586-4600-870e-2bdc73b7a14b.filesusr.com/ugd/df4650_2f3073a3c1ff4ccb89110f5155edc71f.pdf?index=true
- https://573f7c07-d348-49e1-834c-06e2399c468a.filesusr.com/ugd/954c8b_5a424cb2611a491ba587d55d99099e0b.pdf?index=true
- https://a1b8e97f-815c-43c8-bead-3e96237b8705.filesusr.com/ugd/4a6c57_d414788f29ed46d9a1847049fd591a15.pdf?index=true
- https://4887ec1e-a511-44e0-92df-30a3fec9da83.filesusr.com/ugd/1cc777_f0b7cbdf1a944f09b0e99de15485139b.pdf?index=true
- https://ecc8f602-6ea3-4a9a-a7df-7b9e432204fb.filesusr.com/ugd/837d34_1f0537cdff8f472499441c4bb24c650c.pdf?index=true
- https://8c8b2375-5935-41aa-941f-26e1b0c8cdbc.filesusr.com/ugd/3d7af5_4940a81e12c748c593be889a433d4585.pdf?index=true
- https://2532a9a2-b799-41e6-9627-6ff90278bc0e.filesusr.com/ugd/d4c4cf_4128366fadea4a0ea84c5f66656f2ef4.pdf?index=true
- https://dd91442e-23aa-4004-a8eb-5f1e38099a5b.filesusr.com/ugd/45fd81_bc262d7aa5c642ae8177561ad90df55b.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005ba3.bin982fbe045aad1170e1c6bbf83dc890184b565108b10fad1627163297ce853fa1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BA3 | 4888 bytes |
font_01_sfnt_off00006c5f.binae79b34fd8d729cadb1518ed3f317d370fb37a5a59d9c6f302a458ff59749e07 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C5F | 10120 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.