MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing for a malicious redirector link, which points to 'ttraff.cc'. This URL is designed to lure users into downloading potentially harmful software by masquerading as an installer. The document also contains a mass external PDF link farm, with 19 links, many hosted on Shopify, suggesting an attempt to distribute content widely or evade detection. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=acrobat+reader+10++offline+installer
- http://files.lgproma.com/uploads/1/3/0/7/130776130/kajata.pdf
- http://files.couragenations.com/uploads/1/3/1/4/131437779/5805363.pdf
- http://files.northernbeacheseisteddfod.com/uploads/1/3/0/9/130969965/jizirogolor-dewogofu-ruxinujebil-vevekupuxiru.pdf
- http://files.galwaylocaltourist.com/uploads/1/3/0/7/130739119/xizudimuperapu.pdf
- http://files.northernbeacheseisteddfod.com/uploads/1/3/0/9/130969965/jizirogolor-dewogofu-ruxinuj
- https://cdn.shopify.com/s/files/1/0429/5265/5002/files/70166094999.pdf
- https://cdn.shopify.com/s/files/1/0429/9309/0714/files/89983090230.pdf
- https://cdn.shopify.com/s/files/1/0430/4021/1097/files/98578476295.pdf
- https://cdn.shopify.com/s/files/1/0430/7235/6514/files/12575775622.pdf
- https://cdn.shopify.com/s/files/1/0430/4253/7629/files/71456658973.pdf
- https://cdn.shopify.com/s/files/1/0431/6931/7013/files/81990474024.pdf
- https://cdn.shopify.com/s/files/1/0430/5174/5442/files/fidezonigidi.pdf
- https://cdn.shopify.com/s/files/1/0437/4223/2725/files/97315089419.pdf
- https://cdn.shopify.com/s/files/1/0437/0982/5176/files/misudabalazofigareror.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60868594071.pdf
- https://cdn.shopify.com/s/files/1/0431/2884/8538/files/pobevaxarifudojavinerepup.pdf
- https://cdn.shopify.com/s/files/1/0429/7257/7946/files/fifagadulogedovap.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/74251218784.pdf
- https://cdn.shopify.com/s/files/1/0434/1052/2277/files/86892700444.pdf
- https://cdn.shopify.com/s/files/1/0433/5039/2984/files/romunolekafipasobepof.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006efc.bin4f24b76b19781cc05e04447028a63954679a99b281ea5363d639f032bab4e684 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6EFC | 5128 bytes |
font_01_sfnt_off0000806a.binae49d8f16ebc6c9b45b60183321f0631388edee250c71dcb6518d50f6995c900 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x806A | 10184 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.