MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.001 Malicious Link
The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to malicious infrastructure. The document body, though partially corrupted, includes text suggesting it's a 'Yealink t48s quick reference guide' and contains the malicious URL. The PDF_SEO_LINK_FARM heuristic indicates a large number of outbound links, many of which are benign PDFs hosted on Shopify, but the primary link is to a known malicious redirector. The SE_CALLBACK_LURE heuristic suggests a social engineering pretext, likely to trick the user into clicking the malicious link.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=yealink+t48s+quick+reference+guide
- http://files.riverwalkadultdayservices.com/uploads/1/3/2/6/132681556/rixoxatuvanun_xerifosotubul_badafurupakum_dexumegapo.pdf
- https://cdn.shopify.com/s/files/1/0433/5783/1336/files/who_am_i_casting_crowns_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0452/7502/1474/files/mateneriwetamatuwamobug.pdf
- https://cdn.shopify.com/s/files/1/0437/6618/6135/files/72875892673.pdf
- https://cdn.shopify.com/s/files/1/0440/1253/5958/files/capacity_management_blackstone.pdf
- https://cdn.shopify.com/s/files/1/0430/7117/6855/files/regubusutolasovum.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/63537272249.pdf
- https://cdn.shopify.com/s/files/1/0433/6674/4220/files/abnormal_psychology_a_south_african_perspective_textbook.pdf
- https://cdn.shopify.com/s/files/1/0445/4429/5076/files/5446734381.pdf
- https://cdn.shopify.com/s/files/1/0440/3603/0614/files/hesi_grammar_practice_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0434/6124/7129/files/engineering_mathematics_3_vtu_notes.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004648.bin9d1debca189fcf1580236614b17bf742a802729bec84289259a2f7eb54507882 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4648 | 5396 bytes |
font_01_sfnt_off000058a0.bin040b552597456a61f4a5fb6d758e2a957abb02fbe75620840da2f4ca9c58a7d9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x58A0 | 9704 bytes |
font_02_sfnt_off000079bf.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x79BF | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.