MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=ap+1b+adangal'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The presence of a 'download button' heuristic further suggests a lure to click on these links. The document body itself is heavily obfuscated and contains the malicious URL.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=ap+1b+adangal
- https://static.usrfiles.com/ugd/49be48_a788a43b1d984563ae045faed86bda4e.pdf
- https://static.usrfiles.com/ugd/b8c837_88a1fd10b1924492acca1431404190da.pdf
- https://static.usrfiles.com/ugd/4d400c_e277631c6a0e495885e7b3a5b434f850.pdf
- https://static.usrfiles.com/ugd/c12414_296671442d9149be95d5991a0b440f2d.pdf
- https://cdn.shopify.com/s/files/1/0435/8438/9275/files/avast._lijit._com.pdf
- https://cdn.shopify.com/s/files/1/0435/7039/7339/files/94311014038.pdf
- https://cdn.shopify.com/s/files/1/0462/7215/1714/files/zununiwekejozagamil.pdf
- https://cdn.shopify.com/s/files/1/0433/4092/3048/files/50021512177.pdf
- https://cdn.shopify.com/s/files/1/0438/6563/7019/files/equivalent_fractions_decimals_and_percentages_worksheet.pdf
- https://static.usrfiles.com/ugd/b8c837_b1a0654b70ed4c788273c6c4335679f8.pdf
- https://static.usrfiles.com/ugd/b8c837_0ef0b7b5cfa94282a8fa342ea28f6974.pdf
- https://static.usrfiles.com/ugd/52b593_ec6b81b912d543d0b25e6deee449c37e.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bujebunefevefosilipepeju.pdf
- https://cdn.shopify.com/s/files/1/0434/4204/5090/files/fanupububomixiji.pdf
- https://cdn.shopify.com/s/files/1/0431/6410/6909/files/manodu.pdf
- https://cdn.shopify.com/s/files/1/0434/4145/5261/files/35308930315.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006d94.bin0d85df6d750cb27512a57d831fec2d34394a969df5906d6af7c9356bc00762a4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D94 | 5032 bytes |
font_01_sfnt_off00007ec8.bin409bdfe0ca9360a8c6971dddfca887ad2591f4994778c8874b2f34bf017f71d3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7EC8 | 9936 bytes |
font_02_sfnt_off0000a116.bin72d8ac11066ff0ffad9cf42e565e9963d9b16dd1e6d6eb985222be54a24f4e95 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA116 | 8596 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.