MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/pify?keyword=shaandaar+songs+320kbps+free' which is flagged as malicious. Additionally, a large number of links to external PDFs hosted on various domains were found, suggesting a link farm or SEO poisoning attempt. No scripts were extracted, but the presence of malicious redirectors and a large number of external links indicates a high likelihood of phishing or malware delivery.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=shaandaar+songs+320kbps+free
- http://files.girlzwithguns2019.com/uploads/1/3/1/8/131872105/5121821.pdf
- http://files.lm1a.net/uploads/1/3/2/6/132682913/nupanon_nokuroda_rezozi_jovixofukema.pdf
- http://files.rocathedral.org/uploads/1/3/1/3/131379213/rezuxebezusopu.pdf
- http://files.istyleyourevent.com/uploads/1/3/1/0/131070786/3c248.pdf
- http://fancli.com/1avz67
- https://cdn.shopify.com/s/files/1/0434/5865/8456/files/17249393251.pdf
- https://cdn.shopify.com/s/files/1/0432/6676/9051/files/zemumidap.pdf
- https://cdn.shopify.com/s/files/1/0439/0017/4504/files/evicore_cigna_clinical_guidelines.pdf
- https://cdn.shopify.com/s/files/1/0440/8918/0310/files/stewart_calculus.pdf
- https://cdn.shopify.com/s/files/1/0430/8297/3346/files/jetajipizupisomupesuwewu.pdf
- https://cdn.shopify.com/s/files/1/0433/9322/0766/files/adrian_raine_the_anatomy_of_violence.pdf
- https://cdn.shopify.com/s/files/1/0429/4914/8828/files/mixudewupinurikilojivob.pdf
- https://cdn.shopify.com/s/files/1/0430/2176/2723/files/anatomy_of_primary_teeth.pdf
- https://cdn.shopify.com/s/files/1/0428/2089/4886/files/kaguxemawezexurusuvalemi.pdf
- https://cdn.shopify.com/s/files/1/0439/5863/2606/files/sokepesowinijajixewizu.pdf
- https://cdn.shopify.com/s/files/1/0431/2177/0656/files/wurobufuvapozeb.pdf
- https://cdn.shopify.com/s/files/1/0434/8166/1600/files/anticapitalismo_libro.pdf
- https://cdn.shopify.com/s/files/1/0427/9356/6364/files/meaning_of_affirmative_action.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005bed.bindc7da8deeb10f9069a6404b8bd96d1aad9ef15cd8c018faffa21fe819f994e4e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BED | 6016 bytes |
font_01_sfnt_off0000704d.bin7e6a19f29e7247c435a399f9882dfdfcf3c0da9786732e84aa3a9bfc9ae1a3dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x704D | 12896 bytes |
font_02_sfnt_off00009971.bin21cc8ffe6fa87544cd0e154f1e9894eec6526d8583e4ae1cfbc1ba69024741ef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9971 | 3020 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.