MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Add-in
The PDF file contains numerous embedded links designed to redirect users to various external sites, forming a link farm. One critical heuristic identified a direct link to known malicious redirector infrastructure at https://ttraff.com/wb. The document body, though partially corrupted, also contains this URL and others that are part of the link farm. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=autumn%20leaves%20jazz%20chords%20pdf
- http://files.richardcozicar.com/uploads/1/3/1/3/131383823/metegebud_xatikeg.pdf
- http://files.floridakeysoceangallery.com/uploads/1/3/0/9/130970014/jumepopem.pdf
- http://files.nphsjrwolfpack.com/uploads/1/3/1/4/131483253/pageponiputi_gosalobire_vopepas_fatibo.pdf
- http://files.silverisgoldgirl.com/uploads/1/3/1/8/131856358/pidevago_kisasasag_luxojomodebi_bupifekireja.pdf
- http://files.sillassenhalf.com/uploads/1/3/0/9/130969555/bevijidu.pdf
- http://files.stutteringsource.com/uploads/1/3/1/1/131164419/ae48ae31d9.pdf
- http://files.huronsaugagolf.com/uploads/1/3/1/3/131384468/wisolijuxifikikorefi.pdf
- http://files.neebz.net/uploads/1/3/2/6/132681767/4264c3.pdf
- https://waguxuxofino.files.wordpress.com/2020/07/87583065894.pdf
- https://zezupid.files.wordpress.com/2020/07/lokuz.pdf
- https://siladeketo.files.wordpress.com/2020/06/fenewarexojimizotil.pdf
- https://nixalomitu.files.wordpress.com/2020/06/kejojuwobefe.pdf
- https://rogofifadek.files.wordpress.com/2020/07/94532475841.pdf
- https://burelixub.files.wordpress.com/2020/07/ribaju.pdf
- https://bowamupodi.files.wordpress.com/2020/07/58312813628.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77603652905.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dekafarisajanitid.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wifufokamavobopizevotug.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dogazuzotefoninu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/48054684450.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007ac0.bin218f4a0471e69b83ffe588d1e47e6f2000c725401063ad1eb56d4ee78b97caa7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7AC0 | 5404 bytes |
font_01_sfnt_off00008cfe.bin2e9891ae6d5c222eec60b12a73b81bb69387537a489f5d9aca74c65d99ffaf7f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8CFE | 3020 bytes |
font_02_sfnt_off0000993a.bine5b43b052900a1298e7392133a2af002db6d63b9cfd88c1cc659c5f9a4709104 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x993A | 10076 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.