MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass external link farm, with a primary link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=bandit+queen+book+pdf', suggesting a lure for users seeking a book download. This redirector likely leads to a malicious payload or phishing page. The presence of numerous Shopify links, some confirmed benign and others unknown, indicates an attempt to blend malicious links with legitimate ones.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=bandit+queen+book+pdf
- http://files.dsa2020.org/uploads/1/3/1/0/131070434/vizixuv.pdf
- http://bixow.oldgloryundersiege.com/uploads/1/3/0/8/130873826/wutadojozovenugifa.pdf
- http://files.turfinstaller.net/uploads/1/3/0/9/130970014/f244d92b.pdf
- http://files.abchase.co/uploads/1/3/0/9/130968984/030dc869d3609b7.pdf
- https://cdn.shopify.com/s/files/1/0435/8435/6507/files/rasudufojo.pdf
- https://cdn.shopify.com/s/files/1/0433/6451/5994/files/18658098608.pdf
- https://cdn.shopify.com/s/files/1/0435/0548/3942/files/lugamusijir.pdf
- https://cdn.shopify.com/s/files/1/0432/6378/7170/files/jilewitalinasavupetoje.pdf
- https://cdn.shopify.com/s/files/1/0435/1541/2632/files/jonesokalebakefu.pdf
- https://cdn.shopify.com/s/files/1/0435/6079/6318/files/73624357693.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xizujebekox.pdf
- https://cdn.shopify.com/s/files/1/0429/5095/1066/files/44304035763.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lunizededalusabunis.pdf
- https://cdn.shopify.com/s/files/1/0435/1993/4628/files/paxul.pdf
- https://cdn.shopify.com/s/files/1/0431/8652/0224/files/xatedabi.pdf
- https://cdn.shopify.com/s/files/1/0438/0209/9873/files/xufegefi.pdf
- https://cdn.shopify.com/s/files/1/0429/6704/0154/files/canon_powershot_sx500_is_manual.pdf
- https://cdn.shopify.com/s/files/1/0430/3526/3138/files/92826579067.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000072f8.bin13d35ae94113f4d7f12c2c0f151fe6b07969be4a366ef3f53d89b109fba083cd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72F8 | 4992 bytes |
font_01_sfnt_off000083fa.bin4cd4b94d11c9038b4b053d9c96c7fefd796bc202e0bb11641520d9f1fb39a885 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x83FA | 10644 bytes |
font_02_sfnt_off0000a815.binebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA815 | 16164 bytes |
font_03_sfnt_off0000bd2d.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBD2D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.