MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing indicating a malicious redirector link. The document body, though heavily obfuscated, contains text related to a '16 personality factor questionnaire' and a URL that matches the redirector. This suggests a phishing or malware delivery attempt. The PDF also contains a large number of external links, many pointing to Shopify domains, which is indicative of a link farm used for SEO poisoning or distributing malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=16+personality+factor+questionnaire+16pf+pdf
- http://files.petandtortoiseworld.co.uk/uploads/1/3/0/7/130776526/dokawi-wukufomizinow-tulutagovoke-wideponemuwa.pdf
- http://files.myschoolchoicestory.org/uploads/1/3/0/8/130813888/0e2a679.pdf
- http://files.landartfinegardening.com/uploads/1/3/2/7/132710783/rumopavejevitav_bonejexo_taxuzozikonim.pdf
- https://cdn.shopify.com/s/files/1/0440/1207/7206/files/balloon_coloring_page.pdf
- https://cdn.shopify.com/s/files/1/0432/8616/7702/files/sosutapazapujogozozen.pdf
- https://cdn.shopify.com/s/files/1/0431/2891/4074/files/64892738564.pdf
- https://cdn.shopify.com/s/files/1/0429/5560/4121/files/69761008275.pdf
- https://cdn.shopify.com/s/files/1/0439/1282/2939/files/tajesum.pdf
- https://cdn.shopify.com/s/files/1/0433/6903/7980/files/33213769312.pdf
- https://cdn.shopify.com/s/files/1/0428/4783/0183/files/16736217550.pdf
- https://cdn.shopify.com/s/files/1/0429/1844/5223/files/42008252899.pdf
- https://cdn.shopify.com/s/files/1/0430/6855/5415/files/18669165102.pdf
- https://cdn.shopify.com/s/files/1/0433/5448/8990/files/alphabet_military.pdf
- https://cdn.shopify.com/s/files/1/0439/0633/4888/files/5745546687.pdf
- https://cdn.shopify.com/s/files/1/0431/0650/0769/files/benim_hocam_tarih_ders_notlar.pdf
- https://cdn.shopify.com/s/files/1/0451/3703/5429/files/utility_bill_template_uk.pdf
- https://cdn.shopify.com/s/files/1/0429/9161/6153/files/pipesobetiligexeker.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a1c.binb053b9e41bf80b17634327bc5e3a74959b9687d1d155594d409a813247bffcdf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A1C | 5488 bytes |
font_01_sfnt_off00007cc7.bin457a68f548e2198995f29e5d9b37301b6f2c98799a6bf819fbf3974c464d9a83 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7CC7 | 6964 bytes |
font_02_sfnt_off00009097.bin1b5648970a925c7f2937602e96faf11d765e7137b8a32c8b48c3311fde05349f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9097 | 12164 bytes |
font_03_sfnt_off0000b859.bin2fdc0f6b3cd290cfb9b318a5180a8f5ad6966f4b3b2be9471efc22e21f9a6cd8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB859 | 17084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.