MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a tactic to distribute malicious content or phish users. The primary malicious URL identified is https://ttraff.cc/pify?keyword=farsi+letters+pdf, which likely serves as a gateway to further malicious destinations. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=farsi+letters+pdf
- http://files.joaomiguelbranquinho.com/uploads/1/3/1/4/131452963/47925.pdf
- http://files.anythingpaperkim.com/uploads/1/3/1/6/131637125/xabuvufukapigazalev.pdf
- http://files.npnbuyer.net/uploads/1/3/1/6/131637919/zodexufofewu_jenur.pdf
- http://files.meghannrader.com/uploads/1/3/1/4/131437859/419e5ae4c6b43f.pdf
- https://cdn.shopify.com/s/files/1/0429/0114/3715/files/lekorugadojosewumonolo.pdf
- https://cdn.shopify.com/s/files/1/0439/1079/1323/files/saninobolobowakokaka.pdf
- https://cdn.shopify.com/s/files/1/0431/1980/4567/files/12249774336.pdf
- https://cdn.shopify.com/s/files/1/0431/4837/8280/files/97869337165.pdf
- https://cdn.shopify.com/s/files/1/0433/1008/8360/files/vobupovivodetepida.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6900/files/xitaveregireludokarufufo.pdf
- https://cdn.shopify.com/s/files/1/0438/9748/7512/files/70359337162.pdf
- https://cdn.shopify.com/s/files/1/0429/6169/8969/files/radenumezeleleramu.pdf
- https://cdn.shopify.com/s/files/1/0428/9105/1161/files/72336706643.pdf
- https://cdn.shopify.com/s/files/1/0427/9477/8791/files/porodokewolixejalezoza.pdf
- https://cdn.shopify.com/s/files/1/0434/3303/3880/files/rusirebimafenoge.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/96672573922.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0000f9ea.bind3b2cff80ae648c5d1a2473a48e7f7d4438479ff5063064d5810e072b51fcbe3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF9EA | 39792 bytes |
font_00_sfnt_off0000a162.bin8f566ce1f2de429e60eecd020c6e406a5b6a119a7715e3fd46b0d080c5d9ffea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA162 | 4988 bytes |
font_01_sfnt_off0000b22b.bin0efe26d3edee0ec6bd598ecd78ec680c029cdaf30796094f9bd47d6cda2e03e5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB22B | 6792 bytes |
font_02_sfnt_off0000c24c.bina52bae0a21437e88ecd2f4f4f4e892e3b951da5864e37bd488e4fad9ea76ac74 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC24C | 19296 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.