MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a mass external link farm, with a critical heuristic firing indicating a redirector to known malicious infrastructure. The primary malicious URL identified is https://ttraff.ru/pify?keyword=arabic+calligraphy+art+pdf. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files hosted on various domains, suggesting a phishing or scam attempt to lure users to malicious content. No scripts were extracted, limiting the analysis of direct execution capabilities.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=arabic+calligraphy+art+pdf
- http://files.sagadaview.com/uploads/1/3/2/8/132814375/3132943.pdf
- http://files.stringfun.com/uploads/1/3/0/8/130813427/burokasu.pdf
- http://files.mothers-for-mothers.com/uploads/1/3/2/7/132712011/vubunujaduj.pdf
- http://files.maggiekingfreelance.com/uploads/1/3/1/3/131398392/8158535.pdf
- https://cdn.shopify.com/s/files/1/0432/9511/3374/files/xegalefekinivu.pdf
- https://cdn.shopify.com/s/files/1/0428/0070/9791/files/kefawizafazug.pdf
- https://cdn.shopify.com/s/files/1/0428/0582/1599/files/7885196368.pdf
- https://cdn.shopify.com/s/files/1/0434/0740/9308/files/world_at_war_zombies_for_android.pdf
- https://cdn.shopify.com/s/files/1/0434/1186/5751/files/virtualbox_connect_to_internet_windows_xp.pdf
- https://cdn.shopify.com/s/files/1/0431/0905/6668/files/vejalajikixubajoxijep.pdf
- https://cdn.shopify.com/s/files/1/0440/9583/2216/files/93540000567.pdf
- https://cdn.shopify.com/s/files/1/0436/0136/3107/files/wipewavigogipagaw.pdf
- https://cdn.shopify.com/s/files/1/0429/4849/3475/files/tevolirugopaziwilovefonav.pdf
- https://cdn.shopify.com/s/files/1/0433/6690/8054/files/88943058701.pdf
- https://cdn.shopify.com/s/files/1/0440/6339/1894/files/mayweather_vs_canelo_full_fight.pdf
- https://cdn.shopify.com/s/files/1/0429/4203/8182/files/wefixugoxovewiba.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008d2a.bin632c769a1463fbfd19f1a4a0edd735ad0afd0895926cdc1d204e3a64e28bcf81 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D2A | 5468 bytes |
font_01_sfnt_off00009fc4.bina4e5a1a80810174f6d8f8b05dc8821777768d711497d815be1c2bb116e103021 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9FC4 | 10132 bytes |
font_02_sfnt_off0000c2b8.binab5786b853d89224aca5ee6f2a5570c41e97af6597a8c9d0262c24c7fe572d42 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC2B8 | 17996 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.