MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. It also exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same redirector URL and several Shopify URLs, suggesting a lure to external content. The presence of a 'download button' heuristic further supports the social engineering aspect of this attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=how%20to%20combine%202%20pdf%20files%20in%20windows%2010
- http://files.riversidechapelforbes.org/uploads/1/3/1/8/131857115/xezatotaje_legupozoba_gokuluxevuk_miduduz.pdf
- http://jegovi.premierbeachfl.com/uploads/1/3/2/6/132682883/tojofexagilijot_nikuma_fasoxovases.pdf
- http://pegalewep.theflyingbanners.com/uploads/1/3/2/7/132740965/961573fe3.pdf
- http://files.msnlawoffice.com/uploads/1/3/1/4/131454034/vajupomanuxe-gabuna.pdf
- http://files.growlerlamp.com/uploads/1/3/2/6/132681368/9645313.pdf
- https://cdn.shopify.com/s/files/1/0439/9159/7214/files/31285904720.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53940500656.pdf
- https://cdn.shopify.com/s/files/1/0433/7519/8373/files/antibiograma_para_enterobacterias.pdf
- https://cdn.shopify.com/s/files/1/0449/1198/4795/files/wozodudelisalugabuse.pdf
- https://cdn.shopify.com/s/files/1/0429/1395/6007/files/xadoviguxogoxedibemodi.pdf
- https://cdn.shopify.com/s/files/1/0436/3255/8240/files/gulisugizozawimasura.pdf
- https://cdn.shopify.com/s/files/1/0427/4677/3660/files/cheat_codes_for_mx_vs._atv_untamed.pdf
- https://cdn.shopify.com/s/files/1/0434/0596/7527/files/budget_2020_highlights_vision_ias.pdf
- https://cdn.shopify.com/s/files/1/0428/4655/2230/files/xipiledaxupusuxifoz.pdf
- https://cdn.shopify.com/s/files/1/0428/2561/3475/files/mobufuveto.pdf
- https://cdn.shopify.com/s/files/1/0427/6705/7063/files/zodijozupefogel.pdf
- https://cdn.shopify.com/s/files/1/0428/4927/1975/files/begusavasu.pdf
- https://cdn.shopify.com/s/files/1/0440/1030/7749/files/78890998326.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007189.bin1009ae5ec138f1a8ba4bce2df6ec42c2da8d3bfd662fd30c0da8bea9f2b58220 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7189 | 5516 bytes |
font_01_sfnt_off00008456.bin9145e992641d04bb294dca8350325e92eef86622323de8271794105071cc4b79 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8456 | 10136 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.