MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=adventurer%2527s+backpack+skyrim'. Additionally, it exhibits a PDF link farm behavior, with numerous links to 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same malicious URL and a reference to a benign PDF, suggesting a lure to download content. The presence of a visual download button heuristic further supports the social engineering aspect of this attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=adventurer%2527s+backpack+skyrim
- https://static.usrfiles.com/ugd/b8c837_1036b049c496476fa302a3d9a69dcf2a.pdf
- https://static.usrfiles.com/ugd/7ff653_544ec4698266417e81b1f0f595d3114b.pdf
- https://static.usrfiles.com/ugd/b8c837_f98fac90fa214322abfe941517a167fb.pdf
- https://static.usrfiles.com/ugd/cf79db_7abeccdc6f024efaaf08e9be9eac3dd5.pdf
- https://static.usrfiles.com/ugd/b8c837_b494aee22bf24c66a2f01cbaac0af754.pdf
- https://static.usrfiles.com/ugd/b8c837_3d414944c9d648fc81976bb4761fe244.pdf
- https://static.usrfiles.com/ugd/b8c837_7a9611631e2c47a1bae29aa0f52696d1.pdf
- https://static.usrfiles.com/ugd/b8c837_d558f7d8314a43f29fd41b87880bd9e2.pdf
- https://static.usrfiles.com/ugd/b8c837_ae1002feafd14e38a9b8b3d76a79c158.pdf
- https://static.usrfiles.com/ugd/b8c837_dd536a2a81474067928e9b4219d4662d.pdf
- https://static.usrfiles.com/ugd/1f5cef_b6ec846877674d68bc67bc2368abd216.pdf
- https://cdn.shopify.com/s/files/1/0441/0625/2440/files/bitolevilobofu.pdf
- https://cdn.shopify.com/s/files/1/0432/2718/5309/files/jaweruvevisisikaker.pdf
- https://cdn.shopify.com/s/files/1/0433/4105/4105/files/loan_application_form_file.pdf
- https://cdn.shopify.com/s/files/1/0432/6152/6166/files/8976014856.pdf
- https://cdn.shopify.com/s/files/1/0431/5791/3754/files/wisixumugaroku.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005779.bin85ad806e88a2f634b4a96e046204802d49050162c890c78b46f27927cfc79b92 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5779 | 5576 bytes |
font_01_sfnt_off00006a65.bin1913e0d25cab32207281a339f677324cc4da61f8058023bbffd0b1caf366d42c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A65 | 10860 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.