MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits characteristics of a link farm, with numerous external PDF links, many hosted on 'cdn.shopify.com'. The document body, though heavily garbled, contains text related to converting PDF to images and mentions 'wkhtmltopdf', suggesting a potential lure to disguise malicious content. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the idea of a user-driven action to initiate a malicious workflow.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=chuy%25E1%25BB%2583n+%25C4%2591%25E1%25BB%2595i+t%25E1%25BB%25AB+file+pdf+sang+h%25C3%25ACnh+%25E1%25BA%25A3nh
- http://files.aloenottingham.com/uploads/1/3/2/6/132696351/84004f905d118b1.pdf
- http://files.familyrecoverysolutions.net/uploads/1/3/1/0/131070895/6368661.pdf
- http://files.guerasboutique.com/uploads/1/3/2/3/132303151/442422.pdf
- https://cdn.shopify.com/s/files/1/0428/2348/3548/files/tewavepen.pdf
- https://cdn.shopify.com/s/files/1/0431/7547/7416/files/fumumopu.pdf
- https://cdn.shopify.com/s/files/1/0433/5756/9176/files/29008583480.pdf
- https://cdn.shopify.com/s/files/1/0432/2571/0750/files/40198201226.pdf
- https://cdn.shopify.com/s/files/1/0435/5263/7091/files/13270768390.pdf
- https://cdn.shopify.com/s/files/1/0427/5650/5756/files/51251291699.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lorabo.pdf
- https://cdn.shopify.com/s/files/1/0432/3213/3278/files/30042516428.pdf
- https://cdn.shopify.com/s/files/1/0429/4803/4716/files/soduxofozo.pdf
- https://cdn.shopify.com/s/files/1/0430/9961/9492/files/36194334877.pdf
- https://cdn.shopify.com/s/files/1/0440/6122/9206/files/85397023003.pdf
- https://cdn.shopify.com/s/files/1/0432/6942/3269/files/tagumujanenitozivu.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65788935473.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008034.binb800617f76db028443e72ffd573235dcb0fc6450991d8959ee6194b09783930a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8034 | 6144 bytes |
font_01_sfnt_off000093ee.binfa9f5dbdbb9427a44d432115199e029854ab5bd5d0a991850c3699e5acdbad8f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93EE | 10496 bytes |
font_02_sfnt_off0000b7c5.bin8afa5c58491584559c08e2b00c093151bbc2737ebeb0f8dba3133450c0463f2f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB7C5 | 16684 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.