MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. This URL is presented to the user as a download link for a "Six sigma yellow belt for dummies pdf". The file also contains a large number of embedded links, many of which point to Shopify domains, suggesting a link farm or SEO poisoning tactic. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=six+sigma+yellow+belt+for+dummies+pdf
- http://files.seasportsbelize.com/uploads/1/3/1/3/131380120/japovi_debupitogugas_midozitarew.pdf
- http://files.drjustinbacklund.com/uploads/1/3/1/4/131406744/vukijejumulupoj.pdf
- http://files.zimengmusic.com/uploads/1/3/0/7/130775998/xemaleva.pdf
- http://files.casparmckeever.com/uploads/1/3/1/4/131438449/ca906f12.pdf
- http://files.creativedentaldesignsaz.com/uploads/1/3/2/7/132710683/f34d04b31a2.pdf
- https://cdn.shopify.com/s/files/1/0427/6482/8838/files/13898227976.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58580374151.pdf
- https://cdn.shopify.com/s/files/1/0430/3493/5447/files/92313199177.pdf
- https://cdn.shopify.com/s/files/1/0428/6690/1148/files/10737239586.pdf
- https://cdn.shopify.com/s/files/1/0430/4309/4677/files/kufedexulisija.pdf
- https://cdn.shopify.com/s/files/1/0437/8597/8018/files/49352452980.pdf
- https://cdn.shopify.com/s/files/1/0428/2476/1510/files/supoborawopis.pdf
- https://cdn.shopify.com/s/files/1/0431/0673/0138/files/benisedikopibekeno.pdf
- https://cdn.shopify.com/s/files/1/0434/3159/2088/files/42384043244.pdf
- https://cdn.shopify.com/s/files/1/0431/2036/1629/files/wuxuwa.pdf
- https://cdn.shopify.com/s/files/1/0432/3305/0779/files/budijitodosadelaked.pdf
- https://cdn.shopify.com/s/files/1/0430/4994/3202/files/10494584280.pdf
- https://cdn.shopify.com/s/files/1/0432/6454/0835/files/45528064999.pdf
- https://cdn.shopify.com/s/files/1/0434/6213/1878/files/furosazapewotikosodetubi.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/75555741983.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0430/4309/4677/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008096.bin8b46736686be73641380d8a69f20d9f86d5f98da155e57a8e69b45b080d13f90 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8096 | 5640 bytes |
font_01_sfnt_off000093e0.bin704fe022f5054a3da9cbdf00be90905f744500d1e70c23d5e8d42b9fc1779956 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93E0 | 10844 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.