MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link and a link farm, indicating a phishing or scam attempt. The document body also contains the URL 'https://ttraff.ru/pify?keyword=full+face+mask+template' which is presented as a call-to-action, likely to trick the user into clicking it. The presence of numerous other PDF links suggests an attempt to manipulate search engine results or distribute further malicious content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=full+face+mask+template
- http://files.triplejmoab.com/uploads/1/3/1/3/131379099/fewerezider.pdf
- http://files.shop-phe.com/uploads/1/3/1/4/131455198/zenunavu-towawelef.pdf
- http://files.heart2heartknittingfiberarts.com/uploads/1/3/2/8/132814611/susufiku_gofunolune_tasitabukulije.pdf
- http://files.ndeauction.org/uploads/1/3/0/8/130814466/fatidev-lotebozir-lesagenus.pdf
- https://cdn.shopify.com/s/files/1/0440/8256/1176/files/bosquejo_del_libro_de_hebreos.pdf
- https://cdn.shopify.com/s/files/1/0430/1992/7713/files/tekupevizunazodepomozu.pdf
- https://cdn.shopify.com/s/files/1/0429/4151/3894/files/koxononif.pdf
- https://cdn.shopify.com/s/files/1/0437/2578/3190/files/cancer_de_mama_epidemiologia_mexico_2020.pdf
- https://cdn.shopify.com/s/files/1/0428/0595/2671/files/blacksmith_wow_classic_leveling_guide.pdf
- https://cdn.shopify.com/s/files/1/0449/9672/2852/files/adam_khoo_trading_strategy.pdf
- https://cdn.shopify.com/s/files/1/0431/8937/1044/files/43023401589.pdf
- https://cdn.shopify.com/s/files/1/0432/3747/4472/files/samsung_galaxy_s8_android_10_rom.pdf
- https://cdn.shopify.com/s/files/1/0429/9823/5289/files/19363922927.pdf
- https://cdn.shopify.com/s/files/1/0428/6559/0438/files/79529725240.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000743d.binfda945ceab4970b5c11b5208f2911d1bd2093c4f8052302d5759ce77ae3a23e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x743D | 5084 bytes |
font_01_sfnt_off00008583.bin11c1322ba787f3aec3036b2ad07479b93ba5933e7b413fa2612b39e03fa6bfec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8583 | 10412 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.