Malware Insights
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=caverject+instructions+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to 'https://cdn.shopify.com/s/files/1/0435/5430/8257/files/90958842763.pdf'. The document body, though heavily obfuscated, contains references to 'Caverject instructions pdf' and the authoring application 'wkhtmltopdf', suggesting a lure to disguise malicious content. The primary intent appears to be redirecting users to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=caverject+instructions+pdf
- http://files.newhanoverdisastercoalition.org/uploads/1/3/1/3/131397973/patubifuzipar-komagezagovesoj.pdf
- http://files.openarmspcnm.com/uploads/1/3/1/4/131407944/0df70.pdf
- http://dududo.texaspoliticaljobs.com/uploads/1/3/0/7/130775735/bowanubatedude.pdf
- http://files.makeandflourish.co.uk/uploads/1/3/0/8/130874672/e7c04c.pdf
- http://files.willowwildedges.com/uploads/1/3/1/8/131856443/xukopiwome-tojazelapiz-kasivezobisu-sunezurawuse.pdf
- https://cdn.shopify.com/s/files/1/0435/5430/8257/files/90958842763.pdf
- https://cdn.shopify.com/s/files/1/0436/6126/3001/files/caste_category_list_in_rajasthan.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pepefawabibuf.pdf
- https://cdn.shopify.com/s/files/1/0434/8523/3318/files/arpa_dolomiti_meteo.pdf
- https://cdn.shopify.com/s/files/1/0430/2585/8714/files/reverse_polish_notation_c.pdf
- https://cdn.shopify.com/s/files/1/0433/5829/0070/files/22231365287.pdf
- https://cdn.shopify.com/s/files/1/0430/4853/4167/files/topolekurigeporusen.pdf
- https://cdn.shopify.com/s/files/1/0433/1280/8091/files/gozelizelu.pdf
- https://cdn.shopify.com/s/files/1/0430/4669/9165/files/4032578158.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pajakeveposemilakojataza.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008b51.bin35f0891270c87770bf612bf033946663b9977df5f6db9d4250dd1d5aec119b72 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8B51 | 5160 bytes |
font_01_sfnt_off00009cfe.bin9c74fb5dcdffe1e7e5be991e94387aa4a8a3e6cd40811c08f2a508da67e1f6c5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9CFE | 10692 bytes |
font_02_sfnt_off0000c18b.binb50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC18B | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.