MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=a+gift+of+fire+pdf'. This indicates the document's primary purpose is to trick users into visiting a malicious site. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, suggesting a broader campaign to distribute malicious content. No scripts were extracted, limiting the analysis of direct execution capabilities.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=a+gift+of+fire+pdf
- http://xavob.cayugalakehouse.net/uploads/1/3/1/1/131164312/91ee0543.pdf
- http://files.adultdaycenter.org/uploads/1/3/1/1/131163879/3329193.pdf
- http://files.stpeterbaseball.com/uploads/1/3/0/8/130874655/411e93977a7a.pdf
- http://files.simchatalya.com/uploads/1/3/0/7/130738921/wibakex-vivasefavo-pebupadopebak-venuwevu.pdf
- https://cdn.shopify.com/s/files/1/0432/0568/9504/files/jililus.pdf
- https://cdn.shopify.com/s/files/1/0433/9941/3925/files/17233976072.pdf
- https://cdn.shopify.com/s/files/1/0437/0504/1051/files/64620401107.pdf
- https://cdn.shopify.com/s/files/1/0430/6056/0025/files/pelofenewutedir.pdf
- https://cdn.shopify.com/s/files/1/0432/6768/6556/files/rategona.pdf
- https://cdn.shopify.com/s/files/1/0432/8289/0912/files/giwesamivajazojunaroj.pdf
- https://cdn.shopify.com/s/files/1/0436/0486/9277/files/wiser.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/16949815227.pdf
- https://cdn.shopify.com/s/files/1/0431/8468/5224/files/43088427200.pdf
- https://cdn.shopify.com/s/files/1/0437/3377/8597/files/61557787356.pdf
- https://cdn.shopify.com/s/files/1/0428/3708/2271/files/26848796538.pdf
- https://cdn.shopify.com/s/files/1/0435/3127/2346/files/tubabamadewiteve.pdf
- https://cdn.shopify.com/s/files/1/0436/3016/6176/files/zorexavojavitajoxep.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0433/9941/39
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off0000de2f.binfad726eedd74853ef62eedc7df5ae29ddb8731fbdcdb8794a75fb95c3e9ead63 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xDE2F | 24024 bytes |
font_00_sfnt_off0000aa08.bin99f6cb9031e1dba5d47c0fb2bd6e7241d94fd84ff5d1e355459fd4845a51e6b4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAA08 | 4776 bytes |
font_01_sfnt_off0000ba5e.bin163732f6d9b34fcef75c8b272e6ad1cdbe8e65ff1016ee91a6dcb7085021cca5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBA5E | 10440 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.