MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used in a lure to download Adobe Flash Player. The document body also contains this URL and other links, suggesting a link farm for SEO poisoning. The presence of a visual download button further supports the social engineering aspect of this attack. No scripts were extracted, limiting the analysis of the payload.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=adobe+flash+player+10.+1
- https://cdn.shopify.com/s/files/1/0431/8960/0414/files/nusuxoxifimarapuwobedig.pdf
- https://cdn.shopify.com/s/files/1/0434/1560/1304/files/adding_and_subtracting_rational_expressions_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0435/1868/9434/files/jspdf_autotable_column_widths_to_wide_and_can_t_fit_page.pdf
- https://cdn.shopify.com/s/files/1/0431/8006/4936/files/pedoxukejepatepugak.pdf
- https://cdn.shopify.com/s/files/1/0430/7720/6178/files/faringitis_pediatria.pdf
- https://static.usrfiles.com/ugd/dfb5f8_4724e772b0054d83a8b760be0b0cb272.pdf
- https://static.usrfiles.com/ugd/b8c837_95b63f57fc54495db8ce1454c6586e8f.pdf
- https://static.usrfiles.com/ugd/ea78e0_39dc893771ed438a8e21608d4256b2e7.pdf
- https://static.usrfiles.com/ugd/d5415a_ec9f58951573483fbdfa8ebd4c70b0b4.pdf
- https://static.usrfiles.com/ugd/d162e3_fbea4a78ae74498e92026bb15ff26165.pdf
- https://static.usrfiles.com/ugd/b8c837_91639b4acd3d409896544a6ef5fd5fe4.pdf
- https://static.usrfiles.com/ugd/b8c837_0444f4670e5641759cd886d5c46e78c8.pdf
- https://static.usrfiles.com/ugd/b8c837_7bf8c48e0ef7482bb56a3cdecb7b465f.pdf
- https://static.usrfiles.com/ugd/b8c837_35396f3a25dc4e48b77620c942a71c0f.pdf
- https://static.usrfiles.com/ugd/b8c837_7e904775cefb4412b93ad8db286da3b2.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000064dc.bina8d328f8de526de491e4d538e1d9d9a738e7cca1dc59397da9aa9657b5a4cde6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64DC | 5584 bytes |
font_01_sfnt_off000077df.binf22f90f6153c5fe9372267c31126df21982605ba9432f3600466d105627897de |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x77DF | 10228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.