MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Add-in
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This indicates the document is designed to redirect users to potentially harmful sites. Additionally, another critical heuristic identified a PDF link farm, suggesting an attempt to artificially inflate search engine rankings or distribute links. The document body, though heavily obfuscated, contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, further supporting the link-based attack vector.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=database%20analysis%20pdf
- http://files.haydencanoepole.com/uploads/1/3/0/7/130776327/84444.pdf
- http://files.ryanchrisbartlett.com/uploads/1/3/1/6/131606128/lefuvufulevub_xiwodasosuteri_fusubi_zojewewiwip.pdf
- http://files.binghamtonrooted.org/uploads/1/3/1/0/131070895/xejepaloferexivi.pdf
- https://vudilofifo.files.wordpress.com/2020/07/32759010246.pdf
- https://vofufogufi.files.wordpress.com/2020/06/wopidewagovuwuj.pdf
- https://gufamazujudu.files.wordpress.com/2020/07/xofezusubufonapabe.pdf
- https://bofajif.files.wordpress.com/2020/06/3688600161.pdf
- https://sazexaki.files.wordpress.com/2020/06/59233936987.pdf
- https://zexosutu.files.wordpress.com/2020/06/dofuj.pdf
- https://dafaxekitupu.files.wordpress.com/2020/07/57047238332.pdf
- https://dasiwizuno.files.wordpress.com/2020/07/84260159560.pdf
- https://cdn.shopify.com/s/files/1/0431/3173/2125/files/46782224922.pdf
- https://cdn.shopify.com/s/files/1/0428/6644/2406/files/93209498300.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pobilimej.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/46506788711.pdf
- https://cdn.shopify.com/s/files/1/0428/1594/6911/files/75728909656.pdf
- https://cdn.shopify.com/s/files/1/0427/4470/9276/files/69865418881.pdf
- https://cdn.shopify.com/s/files/1/0433/1382/3909/files/74274749879.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xutowoterefabobenovise.pdf
- https://cdn.shopify.com/s/files/1/0434/5144/9496/files/31731180116.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00017343.bindb5bc930c9de52e1f6020383b57b0858642a2819c383139c49dbe26a726fb153 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17343 | 4856 bytes |
font_01_sfnt_off000183d4.binff7b82abebb84f61a5686eef53d97a73f0e7085c7e3803e077be0b882f880232 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x183D4 | 11896 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.