MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious site. Additionally, PDF_SEO_LINK_FARM suggests the document is part of a link farm, with numerous external PDF links. The primary malicious URL identified is https://ttraff.ru/wix?keyword=sidi+crossfire+2+replacement+parts, which is likely used to redirect users to a malicious payload. The document body contains obfuscated text and the malicious URL.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=sidi+crossfire+2+replacement+parts
- https://cdn.shopify.com/s/files/1/0438/8156/2280/files/lajawopivugipogat.pdf
- https://cdn.shopify.com/s/files/1/0430/8677/4436/files/wusupovuzesovol.pdf
- https://cdn.shopify.com/s/files/1/0427/7708/4070/files/gojinifaxarefizivuvi.pdf
- https://cdn.shopify.com/s/files/1/0433/7349/4430/files/uneb_chemistry_past_papers.pdf
- https://cdn.shopify.com/s/files/1/0433/5858/4986/files/cuento_almohadon_de_plumas.pdf
- https://cdn.shopify.com/s/files/1/0440/4061/8134/files/ludzie_bezdomni_lektura_z_opracowaniem.pdf
- https://cdn.shopify.com/s/files/1/0431/5496/4637/files/pukipadesaduzepuzuvum.pdf
- https://cdn.shopify.com/s/files/1/0431/4578/9600/files/oxford_english_dictionary_full.pdf
- https://cdn.shopify.com/s/files/1/0436/1030/8765/files/9077784252.pdf
- https://cdn.shopify.com/s/files/1/0430/8720/0418/files/nutonoxudinixakoxojemuvex.pdf
- https://static.usrfiles.com/ugd/314c35_7370baa0eb554d5490dacb94dfae29c6.pdf
- https://static.usrfiles.com/ugd/b8c837_d4331bf6850348ae97cdea7eee0664fe.pdf
- https://static.usrfiles.com/ugd/be19e1_0ab268c023ce4d8e83a6cef34922dab1.pdf
- https://static.usrfiles.com/ugd/4b874d_dd212a9aa4424815a9be78a1f78d8736.pdf
- https://cdn.shopify.com/s/files/1/0435/9526/8264/files/80038576753.pdf
- https://cdn.shopify.com/s/files/1/0432/1237/4174/files/arjun_patiala_video_songs_pagalworld.pdf
- https://cdn.shopify.com/s/files/1/0434/9739/0244/files/66688440212.pdf
- https://cdn.shopify.com/s/files/1/0427/8488/2844/files/jovawiba.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005139.bin1cab93e4d1bd6ecee216b44fe3d5d2ac71f094b2b01d61ed73b4645c4cd4c670 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5139 | 5536 bytes |
font_01_sfnt_off000063f4.bin18d615b1ce7f38b740d768b7252fb8985ef1fe6aa6ac47b554a5cbe5cf990a2e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63F4 | 10992 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.