MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a prominent link to 'ttraff.club', identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL and references to 'wkhtmltopdf', suggesting it was generated programmatically. The presence of a link farm and the SE_LOLBIN_RUN_COMMAND heuristic indicate an attempt to disguise malicious activity and potentially execute commands. The primary attack vector appears to be directing the user to a malicious URL, likely for phishing or to download further payloads.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=rendre+cl%25C3%25A9+usb+bootable+cmd+pdf
- https://static.usrfiles.com/ugd/c3548c_3539f23920754e66af537c81fe23f02a.pdf
- https://static.usrfiles.com/ugd/9117e0_4a261d9245fd484bba3d5a9d8859e6d8.pdf
- https://static.usrfiles.com/ugd/b444d4_11055af84de944f7a71bd014d3ae72d9.pdf
- https://static.usrfiles.com/ugd/b8c837_71ee7a45dfad423e9b5932f2d52fef28.pdf
- https://static.usrfiles.com/ugd/d01287_757dc265f687464ba4b34d0839665904.pdf
- https://cdn.shopify.com/s/files/1/0430/9480/2583/files/58878865420.pdf
- https://static.usrfiles.com/ugd/7f16bd_6b8204c6e2ad48dd8934b6f7f2d72add.pdf
- https://static.usrfiles.com/ugd/0df15e_403876daf5dd4b999758401c95ad22b4.pdf
- https://static.usrfiles.com/ugd/b8c837_0f1025a04ad5401f862ceab7ce9da77f.pdf
- https://static.usrfiles.com/ugd/bbd3cf_79242b40ccd547899d906ff920c82313.pdf
- https://static.usrfiles.com/ugd/6c032c_d17c12bced634b3ab35eb546dd63d466.pdf
- https://static.usrfiles.com/ugd/8b4172_1b48fda6350b452190e86cf0f783a0ba.pdf
- https://static.usrfiles.com/ugd/948cea_5581cb7b47cf444fb4ee4628001c785e.pdf
- https://static.usrfiles.com/ugd/b77b08_4047fad3ca454b07bb98041bf3287273.pdf
- https://static.usrfiles.com/ugd/c0a468_9dde9276e6fc4050ac89447bb2b70670.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f2f.bin113d7d7ed7adddfd6da96372fd20a3127c8db8b920e369610b59a1baaaa7f252 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F2F | 5588 bytes |
font_01_sfnt_off000081d8.bin554f6c4fca92bb5bfbdba9eb316bc90a9adbdb53712bbf2d9e11dd160ab75152 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x81D8 | 10808 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.