MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a mass of external links, including a critical redirector link to 'ttraff.cc' disguised as a free software download. This, combined with the 'Browser Install Lure' and 'Password Archive Lure' heuristics, strongly suggests a social engineering attack. The document body itself contains the malicious URL, indicating an attempt to trick the user into downloading further payloads or providing credentials.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=google+chromium+free++for+ubuntu
- http://newiweka.furgetmenotrescue.org/uploads/1/3/1/3/131398360/958631.pdf
- http://files.sopoochtraining.com/uploads/1/3/2/8/132815961/kawivibugakovuj.pdf
- https://cdn.shopify.com/s/files/1/0431/6600/7457/files/40604435343.pdf
- https://cdn.shopify.com/s/files/1/0433/1290/6405/files/sumusewajilul.pdf
- https://cdn.shopify.com/s/files/1/0434/8179/2677/files/rujamasex.pdf
- https://cdn.shopify.com/s/files/1/0437/5920/6558/files/ambala_weather_report_today.pdf
- https://cdn.shopify.com/s/files/1/0431/7272/4897/files/91547909741.pdf
- https://cdn.shopify.com/s/files/1/0431/6643/3435/files/las_amistades_particulares_roger_peyrefitte.pdf
- https://cdn.shopify.com/s/files/1/0430/6753/9623/files/95871886564.pdf
- https://cdn.shopify.com/s/files/1/0437/1913/1285/files/95258041884.pdf
- https://cdn.shopify.com/s/files/1/0427/5470/3526/files/15738225086.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00017440.bin9aaa79b69c0ad796861b88a82b72a0f521c20274b45a6f76d684a246a4b87441 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17440 | 5080 bytes |
font_01_sfnt_off00018573.bin62bbcec0578a211ebb5bd7e17aa5507918bfb7ee1d4456b0cd54d0b24d6aa1e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18573 | 15720 bytes |
font_02_sfnt_off0001b735.binb2563e85233037e3c2780690ed1455257f868516b5a962e54e6ffe29314c9cb1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B735 | 16312 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.