MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is associated with malicious activity. The document body and heuristics also indicate a lure related to password protection for PDFs, a common social engineering tactic. The presence of numerous external links, including a link farm, suggests an attempt to manipulate search engine results or distribute further malicious content. The sample also indicates a password-protected archive lure, suggesting a multi-stage attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=password+protect+pdf+adobe+acrobat+reader+dc
- https://static.usrfiles.com/ugd/6846fe_17e5dfecf6aa4bc98adf2f2d53c6100c.pdf
- https://static.usrfiles.com/ugd/1be480_c3fc43cca806487e9b9dfb791707aaa1.pdf
- https://static.usrfiles.com/ugd/b8c837_7ad786902dad40529b6f5a4242697e70.pdf
- https://static.usrfiles.com/ugd/de65f7_2471cfaa1c6d465d876b3f9fc3b9b9bb.pdf
- https://static.usrfiles.com/ugd/451a43_25476666df8f4f228253e73a33becf8f.pdf
- https://static.usrfiles.com/ugd/9cb927_d5c237252f5d4c6dbb85014805d16b1f.pdf
- https://static.usrfiles.com/ugd/9fc8c3_f7efebddda6746b3ae5167bb626bcabd.pdf
- https://static.usrfiles.com/ugd/99965f_f9524f753b8247b2b251a1ebf21c87eb.pdf
- https://static.usrfiles.com/ugd/ee9d3f_c17b9002491049cf8dddcd4fa6078377.pdf
- https://static.usrfiles.com/ugd/4f270c_9f2e7a6aa4c64ee19f3bb10009ac1fb9.pdf
- https://static.usrfiles.com/ugd/b8c837_9f64b48ba92745fcb58da6a16f35c53d.pdf
- https://static.usrfiles.com/ugd/b8c837_8277e1711f864ea2bf9e8915656ae08f.pdf
- https://cdn.shopify.com/s/files/1/0429/9610/5375/files/92968055854.pdf
- https://cdn.shopify.com/s/files/1/0437/9443/2161/files/gamiran.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a1b.bin5701beee31522f9b8bc36787cfe483132a853ad3567f6cf20fabd2e074db4449 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A1B | 5348 bytes |
font_01_sfnt_off00007c64.bin8acdb14cf5a01293543a88a057e1210922970c9334d6f26e6ba945d28cba3756 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7C64 | 9816 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.