MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains a heuristic indicating it's a malicious redirector link, pointing to a URL that includes a keyword suggesting an answer key. This URL is part of a link farm, with many other links hosted on Shopify. The document body, though heavily obfuscated, contains the same redirector URL. The 'SE_BROWSER_INSTALL_LURE' heuristic suggests the document's text prompts the user to install something, a common social engineering tactic.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=ecological+pyramids+virtual+lab+answer+key
- https://cdn.shopify.com/s/files/1/0440/4301/0198/files/mysql_connection_string.pdf
- https://cdn.shopify.com/s/files/1/0438/1832/0034/files/class_11_biology_chapter_9_notes.pdf
- https://cdn.shopify.com/s/files/1/0430/3477/1610/files/tidirekilemitige.pdf
- https://cdn.shopify.com/s/files/1/0435/6934/8763/files/33476332708.pdf
- https://cdn.shopify.com/s/files/1/0454/5613/0200/files/biomagnetismo_dr_goiz.pdf
- https://cdn.shopify.com/s/files/1/0439/8641/9870/files/vojanavidijiwofizare.pdf
- https://cdn.shopify.com/s/files/1/0435/7573/8527/files/49560969261.pdf
- https://cdn.shopify.com/s/files/1/0432/7230/6846/files/cuales_fueron_las_5_plagas_de_egipto.pdf
- https://cdn.shopify.com/s/files/1/0434/8461/0712/files/2017.pdf
- https://cdn.shopify.com/s/files/1/0437/3620/3415/files/53414347365.pdf
- https://cdn.shopify.com/s/files/1/0432/6912/8354/files/jibupupuxenasiji.pdf
- https://24cbfadb-1610-4e87-98a5-419c00eabb09.filesusr.com/ugd/35ddae_72b71b860a5b4fc9b449d71ed56ed73e.pdf?index=true
- https://d4002523-a92b-469b-9f84-e739401b90ad.filesusr.com/ugd/668a47_a0bfb1d6fd7041918a09e08c39b782d6.pdf?index=true
- https://2bb3c357-3801-4d30-a0af-b6011697c811.filesusr.com/ugd/35e1ce_50ea98591fdd448095f647ec412b3fd8.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000093ec.bin15ddf1b2797c654710f6a471df23e13b42cf6e73ec706bab4a50c0ddb3d80814 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93EC | 5808 bytes |
font_01_sfnt_off0000a7bc.bin86243368291b9dacacd579c88137c243cd4ae3d0b5774cfaaa8ef42c2d6a552a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA7BC | 10288 bytes |
font_02_sfnt_off0000cb3a.bin2c9ae159d9fa86f1b720ab867039a809abc82cd28afdc2a7a0d04b7ca86b516c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCB3A | 16912 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.