MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass external link farm, with many links pointing to Shopify domains hosting PDF files, and one critical link to a known malicious redirector infrastructure at 'ttraff.ru'. The document body, though heavily obfuscated, contains references to 'abbyy pdf transformer 3.0 serial number' and includes the malicious URL, suggesting a lure for cracked software. The presence of a visual download button heuristic further supports this phishing pretext.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=abbyy+pdf+transformer+3.+0+serial+number+laz%25C4%25B1m
- http://nomosedor.whspta.com/uploads/1/3/2/3/132303410/namiwebijufepopibit.pdf
- http://kigelosog.robertsiteach.org/uploads/1/3/2/6/132682883/nupate-tilazopeb-wadedok.pdf
- http://jajedix.nddistrictyouth.org.uk/uploads/1/3/1/4/131406437/6244726.pdf
- http://files.madebyloulou.net/uploads/1/3/1/8/131871891/59bfb6ba928ffb6.pdf
- https://cdn.shopify.com/s/files/1/0429/9315/6259/files/18767679586.pdf
- https://cdn.shopify.com/s/files/1/0433/5229/3541/files/kudigagawofiro.pdf
- https://cdn.shopify.com/s/files/1/0436/9927/3896/files/7597218319.pdf
- https://cdn.shopify.com/s/files/1/0431/8419/3697/files/list_of_cities_in_the_usa.pdf
- https://cdn.shopify.com/s/files/1/0434/1514/2551/files/95176804779.pdf
- https://cdn.shopify.com/s/files/1/0437/3371/3050/files/70785906935.pdf
- https://cdn.shopify.com/s/files/1/0441/1850/7672/files/photoshop_hosts_file.pdf
- https://cdn.shopify.com/s/files/1/0428/9373/8143/files/vavidam.pdf
- https://cdn.shopify.com/s/files/1/0430/6888/3097/files/biluwevowofaxelosuvi.pdf
- https://cdn.shopify.com/s/files/1/0434/0406/6967/files/demuzipejenaxib.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sujufizolotedugogu.pdf
- https://cdn.shopify.com/s/files/1/0441/3535/0424/files/67022281381.pdf
- https://cdn.shopify.com/s/files/1/0430/4375/0049/files/kijemomatoralivonelopedab.pdf
- https://cdn.shopify.com/s/files/1/0431/6420/5216/files/abacus_level_5_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0450/3538/9086/files/asymptomatic_hyperuricemia.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c34.bin69410b9b852cfdd8794709ad7e602c0fd277406ebea89a5f8d9f414881cd1e12 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C34 | 5836 bytes |
font_01_sfnt_off0000700a.bin1924368fd1556b7196da8d603c115e246f2e6145a98d54ed95ef5270e8852247 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x700A | 10332 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.