MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=spider+man+3+ppsspp+cso'. Additionally, it exhibits a PDF link farm heuristic, with numerous links to Shopify-hosted PDFs, suggesting a broad distribution effort. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document may be designed to trick users into believing they need a password for an archive, a common tactic to bypass gateway security. The document body contains garbled text but also the malicious URL, reinforcing the redirection attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=spider+man+3+ppsspp+cso
- http://files.lotekstreetart.com/uploads/1/3/1/4/131437005/8e33656644c2.pdf
- http://files.melchersacredheart.com/uploads/1/3/2/3/132303151/jogaxunotofuruj.pdf
- https://cdn.shopify.com/s/files/1/0434/0898/2165/files/51954387007.pdf
- https://cdn.shopify.com/s/files/1/0431/6577/8076/files/tropic_seas_spas.pdf
- https://cdn.shopify.com/s/files/1/0434/6177/1430/files/problem_solving_101_download.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/21244882445.pdf
- https://cdn.shopify.com/s/files/1/0438/5928/0022/files/equality_and_equity.pdf
- https://cdn.shopify.com/s/files/1/0429/6550/0060/files/99188763756.pdf
- https://cdn.shopify.com/s/files/1/0434/5672/5159/files/26769367456.pdf
- https://cdn.shopify.com/s/files/1/0431/8458/6909/files/espresso_english_grammar_level_3.pdf
- https://cdn.shopify.com/s/files/1/0437/8204/5858/files/96815291949.pdf
- https://cdn.shopify.com/s/files/1/0434/0485/3406/files/mevujisomigijogu.pdf
- https://cdn.shopify.com/s/files/1/0428/5346/6271/files/87487502795.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f63.bince1ec9e85f4c23bbb448419c9f794300a3c4625b06e604a619504daed8680305 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F63 | 5456 bytes |
font_01_sfnt_off000061ca.binb557cceca031d2476a408873cebabc14fa9f1b54a5f045c5cfa935ad9f55b7ad |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x61CA | 10356 bytes |
font_02_sfnt_off0000853b.bincb07af63cc967bc725defeb60e0f94def8eca5b79d09fb04145a87b09fb96d38 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x853B | 16076 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.