MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=que+es+el+enlace+quimico+pdf'. Additionally, the document exhibits characteristics of a link farm, with numerous embedded URLs, many of which are hosted on Shopify. The document body, though heavily corrupted, contains the same redirector URL, suggesting a deliberate attempt to disguise malicious content within a seemingly innocuous PDF. No scripts were extracted, and the primary threat appears to be the redirection to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=que+es+el+enlace+quimico+pdf
- http://pejibiz.lopatswimming.org/uploads/1/3/0/8/130814124/1b1c796d653c6b.pdf
- http://files.aussiestingrays.com/uploads/1/3/0/9/130969740/9656696.pdf
- http://vegefixan.macaelstone.com/uploads/1/3/0/8/130813528/guvipereb.pdf
- http://raruxu.sagemitigation.com/uploads/1/3/0/8/130814229/1696278.pdf
- http://files.theatelierllc.com/uploads/1/3/1/8/131856392/tivumesemutadefiveru.pdf
- https://cdn.shopify.com/s/files/1/0430/0128/2711/files/tigozirexotozojujapa.pdf
- https://cdn.shopify.com/s/files/1/0446/4692/4451/files/canciones_infantiles_guitarra.pdf
- https://cdn.shopify.com/s/files/1/0431/5335/8999/files/13464490960.pdf
- https://cdn.shopify.com/s/files/1/0437/7129/7943/files/22729883109.pdf
- https://cdn.shopify.com/s/files/1/0431/7410/1160/files/sadatifilopukifedib.pdf
- https://cdn.shopify.com/s/files/1/0428/8207/2732/files/59622381398.pdf
- https://cdn.shopify.com/s/files/1/0433/7673/8462/files/21892681628.pdf
- https://cdn.shopify.com/s/files/1/0440/4586/1014/files/nekorefer.pdf
- https://cdn.shopify.com/s/files/1/0431/4519/9784/files/6333497151.pdf
- https://cdn.shopify.com/s/files/1/0433/4852/5208/files/95081529401.pdf
- https://cdn.shopify.com/s/files/1/0439/0017/4504/files/zawofesufolumivo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000da81.bin6e4e2cfd4f53d37583dc1d92bad8744d1f7588b64d968871f89fc368d8dc467f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDA81 | 5392 bytes |
font_01_sfnt_off0000ecc5.binbea33e8068df2d5eda4a7072babf88735e2d93d303de243c8e38ddbbe510b2fa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECC5 | 12100 bytes |
font_02_sfnt_off0001143b.binf7a15deb181bd1ce6552dea8ae01306019deb00e3e6bd24b2d2d72dc6ec7592f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1143B | 16128 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.