MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a large number of embedded links, with many pointing to Shopify domains and one specifically to a known malicious redirector at 'ttraff.ru'. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the malicious nature of the redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large collection of external links, suggesting an attempt to manipulate search results or distribute malicious content through a link farm. The document body is heavily obfuscated and does not provide clear textual lures.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=android+xml+tools+namespace
- http://files.francescagracenutrition.com/uploads/1/3/0/7/130775715/minemilejen_zimufuk_tugilotis.pdf
- http://files.plantmorenatives.com/uploads/1/3/0/7/130775200/gusolupelodoj.pdf
- http://files.carloshoyt.com/uploads/1/3/1/4/131408369/606ec1573.pdf
- https://cdn.shopify.com/s/files/1/0431/5945/3860/files/nisizim.pdf
- https://cdn.shopify.com/s/files/1/0436/3337/7440/files/zasoxitojirezizidisuroxep.pdf
- https://cdn.shopify.com/s/files/1/0434/0216/6435/files/debovukakikakudab.pdf
- https://cdn.shopify.com/s/files/1/0429/5901/2006/files/22709746695.pdf
- https://cdn.shopify.com/s/files/1/0434/5357/9430/files/59837697862.pdf
- https://cdn.shopify.com/s/files/1/0430/8303/8874/files/47628786933.pdf
- https://cdn.shopify.com/s/files/1/0439/0223/8888/files/tusiwerosusudelidesu.pdf
- https://cdn.shopify.com/s/files/1/0433/6713/7438/files/62350985805.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/53446206952.pdf
- https://cdn.shopify.com/s/files/1/0429/9636/7511/files/xegoviwabeneloxuxi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9525543421.pdf
- https://cdn.shopify.com/s/files/1/0435/6227/0879/files/45456930221.pdf
- https://cdn.shopify.com/s/files/1/0429/8581/6218/files/disexolaniwekejevubiko.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/70745323757.pdf
- https://cdn.shopify.com/s/files/1/0429/2087/0044/files/95080084966.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007158.binf2e38cb7e5962a3a51bba1b920f6ba47df3d2e25cfa480781858e067642b9fc1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7158 | 5064 bytes |
font_01_sfnt_off0000826a.bin3786bea0b25c7084ca0caed930b36d6df309fdaacc87a7dbf33c959c6b8c055a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x826A | 11548 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.