MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains numerous embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain (ttraff.com). This suggests a phishing or redirection attack. The document body, though heavily obfuscated, contains the malicious URL, indicating an attempt to lure the user to a harmful site. The presence of a QR code lure further supports a phishing pretext.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=volume+of+prisms+worksheet
- https://cdn.shopify.com/s/files/1/0434/3644/1767/files/functions_of_computer_operating_system.pdf
- https://cdn.shopify.com/s/files/1/0431/3445/1874/files/4863668838.pdf
- https://cdn.shopify.com/s/files/1/0433/5131/0488/files/saxuzimopubeketibikokukat.pdf
- https://cdn.shopify.com/s/files/1/0436/2820/0096/files/bamford_classification_of_stroke.pdf
- https://cdn.shopify.com/s/files/1/0431/6135/4389/files/bekibe.pdf
- https://cdn.shopify.com/s/files/1/0432/6372/1637/files/nosanegokalasojodazomit.pdf
- https://cdn.shopify.com/s/files/1/0430/8946/1410/files/jusoxo.pdf
- https://cdn.shopify.com/s/files/1/0430/6868/6497/files/25834799338.pdf
- https://cdn.shopify.com/s/files/1/0433/5520/9886/files/84172390779.pdf
- https://cdn.shopify.com/s/files/1/0429/2352/4259/files/tarakimo.pdf
- https://cdn.shopify.com/s/files/1/0430/9562/1786/files/8492198120.pdf
- https://cdn.shopify.com/s/files/1/0439/4093/7896/files/happy_birthday_music_sheet_virtual_piano.pdf
- https://cdn.shopify.com/s/files/1/0436/2820/0096/files/50657052834.pdf
- https://cdn.shopify.com/s/files/1/0436/9884/7896/files/62177574498.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/womudagowuromikapekuzuv.pdf
- https://cdn.shopify.com/s/files/1/0432/6971/8182/files/waxazijitijuvodurogopik.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mesibilefonupas.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ac75.bin3b89a1333aa93e194de12c5c5da229a8f3a969ace6b07a90c5323b9ece6747ec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAC75 | 2828 bytes |
font_01_sfnt_off0000b670.binab262771cb5db875c763b76ee52bb74c7e05a9b5e751aac0879e0aa7dd5e2af6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB670 | 5084 bytes |
font_02_sfnt_off0000c7b7.bin8ecbd849be9b5c897742aa5fa2fc93b4b56cec65684e83f27909f44e0fa649e5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC7B7 | 10012 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.