MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.003 Windows Command Shell
The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=commands+in+cmd+prompt+pdf'. Additionally, the document body contains text that instructs the user to copy or paste clipboard content into a command-line interface, indicating a lure for command execution. The presence of a large number of embedded links, many pointing to Shopify domains, suggests a link farm for SEO manipulation or traffic redirection.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=commands+in+cmd+prompt+pdf
- http://guxor.bourlandestates.com/uploads/1/3/2/8/132816066/terodesasidara_kojifo_vovavipoz_ruvuxasisezur.pdf
- http://files.narinsedc.com/uploads/1/3/0/8/130814907/rowukisurizimagomut.pdf
- http://files.oppenheimart.com/uploads/1/3/1/4/131453252/gawifu.pdf
- http://wekam.alejandromercado.rockykramer.com/uploads/1/3/0/8/130874620/pogazososex.pdf
- http://files.jorgebarro.com/uploads/1/3/0/7/130740116/bezetikijajal-bekuf-gigobeweza.pdf
- https://cdn.shopify.com/s/files/1/0434/4145/5254/files/57511196461.pdf
- https://cdn.shopify.com/s/files/1/0433/1202/1662/files/79470549010.pdf
- https://cdn.shopify.com/s/files/1/0432/7201/1941/files/understanding_our_universe.pdf
- https://cdn.shopify.com/s/files/1/0434/4456/8220/files/64162104794.pdf
- https://cdn.shopify.com/s/files/1/0434/6845/6102/files/55569992613.pdf
- https://cdn.shopify.com/s/files/1/0439/8995/8814/files/tutorial_sql_server_management_studio_2020_espaol.pdf
- https://cdn.shopify.com/s/files/1/0433/8886/2614/files/nedubuvejise.pdf
- https://cdn.shopify.com/s/files/1/0431/6394/3067/files/65494162280.pdf
- https://cdn.shopify.com/s/files/1/0434/4496/1442/files/present_perfect_tense_with_already_and_yet.pdf
- https://cdn.shopify.com/s/files/1/0434/3323/0488/files/8137571079.pdf
- https://cdn.shopify.com/s/files/1/0437/1814/8261/files/baxuniwupopajum.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a477.bina0ee709f0aac2583ee59f8c74241f0710df2de5040ae24c4ac663f53d566f8e5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA477 | 5172 bytes |
font_01_sfnt_off0000b5f2.bin1d368b1208f316da8c38c64e19f60424f281705ee9b8054470570244d0a5418d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB5F2 | 12528 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.