MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.cc', which is used to lure users with keywords like 'call of duty 4 binkw32. dll'. The document also contains a mass external PDF link farm, with many links pointing to 'static.usrfiles.com'. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' suggests the document may also instruct users to execute commands, further indicating a malicious workflow. No scripts were extracted from this sample.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=call+of+duty+4+binkw32.+dll
- https://static.usrfiles.com/ugd/b8c837_dfe1d7760b8645cd8075260c6caec18d.pdf
- https://static.usrfiles.com/ugd/e2c250_7596f243795c453099d0a3fb2b27dfb5.pdf
- https://static.usrfiles.com/ugd/b972d5_6212e67bbfd54bd3acf900e72175050f.pdf
- https://static.usrfiles.com/ugd/0a593f_9e4803ba914347abb31844ba01b71cfb.pdf
- https://static.usrfiles.com/ugd/735189_e5bc31a4f3274f7b9fcb4733af2108d9.pdf
- https://cdn.shopify.com/s/files/1/0427/9202/6271/files/magova.pdf
- https://cdn.shopify.com/s/files/1/0437/7883/4586/files/94613405889.pdf
- https://cdn.shopify.com/s/files/1/0439/3123/8555/files/easl_guidelines_liver_abscess.pdf
- https://static.usrfiles.com/ugd/b8c837_189295f9b67f465890b07b2c896eb7bb.pdf
- https://static.usrfiles.com/ugd/b8c837_eeeec7059f2c46c69f5ad0e5a6696a2e.pdf
- https://cdn.shopify.com/s/files/1/0434/8110/4541/files/50192603966.pdf
- https://cdn.shopify.com/s/files/1/0431/2950/3901/files/11383219759.pdf
- https://cdn.shopify.com/s/files/1/0433/4610/0392/files/managerial_accounting_garrison_15th.pdf
- https://cdn.shopify.com/s/files/1/0432/8049/8841/files/gokixo.pdf
- https://cdn.shopify.com/s/files/1/0434/2890/5127/files/modobodekonu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006043.bin22305f41a72408c80b87b4c45ed0297adb8566e4f12fe0606904321d847010c9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6043 | 5228 bytes |
font_01_sfnt_off00007244.binc92c09f083665ef486e26643d7169a4cd6aff2aea3861bf5eb267cc38635008e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7244 | 10524 bytes |
font_02_sfnt_off00009606.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9606 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.