MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a heuristic indicating it's an advance-fee scam lure, presenting lottery or parcel delivery language. It also contains a malicious redirector link to 'ttraff.cc' and a large number of embedded links, many pointing to Shopify domains, suggesting a link farm for SEO manipulation. The document body, though partially garbled, contains the malicious URL and appears to be disguised as educational material.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=ejercicios+espa%2525C3%2525B1ol+sexto+grado
- https://cdn.shopify.com/s/files/1/0431/4651/0498/files/cengage_maths_jee_mains.pdf
- https://cdn.shopify.com/s/files/1/0437/2067/1384/files/42786650305.pdf
- https://cdn.shopify.com/s/files/1/0434/8664/2338/files/velewulekok.pdf
- https://cdn.shopify.com/s/files/1/0462/6622/0695/files/spent_game_guide.pdf
- https://cdn.shopify.com/s/files/1/0435/4742/6975/files/80826444661.pdf
- https://cdn.shopify.com/s/files/1/0439/1705/0008/files/jumoj.pdf
- https://cdn.shopify.com/s/files/1/0430/7006/2754/files/34156097891.pdf
- https://static.usrfiles.com/ugd/d17951_dad066250c4943e2af8235dcfb8c5030.pdf
- https://static.usrfiles.com/ugd/98e298_d4f3b8a1908b4951b62c01421115938d.pdf
- https://static.usrfiles.com/ugd/221f3a_8c057d922231482880fac83f29a39505.pdf
- https://static.usrfiles.com/ugd/e5a943_5ad282af1f8d4ed686aa1ad94e0b748d.pdf
- https://static.usrfiles.com/ugd/b8c837_e91ff4138f344b0bbd5ffb5a6cf491fe.pdf
- https://static.usrfiles.com/ugd/9b33c5_56f8241e7391404d88da66e2f95ec3e6.pdf
- https://static.usrfiles.com/ugd/b8c837_5ee0e4978d2f4d1aa929704d3dc48fbb.pdf
- https://static.usrfiles.com/ugd/b8c837_1bf73c9469a149e29844297101e16ec4.pdf
- https://static.usrfiles.com/ugd/4cf28d_25e41faa6d8745bc8908f69f8a155624.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001618c.bin80ac707a9d23fb76d5139460e530f62169ffabf05a5706c98be450b40289c694 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1618C | 5552 bytes |
font_01_sfnt_off00017441.bin9e5e9b3b5e51acfe2a1cd6ae051ad51336dd9e633c1d13a724d218ffb1af2528 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17441 | 15788 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.