MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The PDF contains a large number of embedded links, many of which point to a redirector service. One critical heuristic indicates that the PDF links to known malicious redirector infrastructure. Additionally, the document body contains instructions that suggest a 'copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context' lure, indicating a potential attempt to trick the user into executing commands. The primary malicious URL identified is https://ttraff.ru/pify?keyword=centos+commands+cheat+sheet+pdf.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=centos+commands+cheat+sheet+pdf
- http://files.jetsettista.com/uploads/1/3/1/4/131437919/fejugofiropugaj-sixujeg-somorizuma.pdf
- http://files.ekshrine.com/uploads/1/3/1/3/131384660/vozisawaliromo.pdf
- http://files.chardoncommunityactionteam.org/uploads/1/3/1/3/131384018/pugotut-newifuniz.pdf
- http://tomape.anncarragher.com/uploads/1/3/0/7/130739615/vomezatu.pdf
- http://lexipo.bthnm.org/uploads/1/3/1/6/131606552/menaxuwowiwuza_lifuvikupipo_topoguti_vugewekunerani.pdf
- https://cdn.shopify.com/s/files/1/0437/6671/0433/files/95514445845.pdf
- https://cdn.shopify.com/s/files/1/0437/1959/0040/files/agenda_2020_ua.pdf
- https://cdn.shopify.com/s/files/1/0430/2739/8807/files/grammy_awards_2020_winners_list.pdf
- https://cdn.shopify.com/s/files/1/0432/0460/8155/files/63587281173.pdf
- https://cdn.shopify.com/s/files/1/0432/7931/9196/files/sonotefezed.pdf
- https://cdn.shopify.com/s/files/1/0435/6807/0824/files/2261441131.pdf
- https://cdn.shopify.com/s/files/1/0432/5870/8118/files/8837892790.pdf
- https://cdn.shopify.com/s/files/1/0439/2094/9403/files/javascript_add_to_array.pdf
- https://cdn.shopify.com/s/files/1/0430/0849/1673/files/migapusepixiwegimijof.pdf
- https://cdn.shopify.com/s/files/1/0430/4335/6821/files/didejiwoleraxafixep.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006ae1.bin3d11930beef15c8ab4cf5ddfb5ae8f9da087f64fe384895ce9213b3cd93628e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6AE1 | 5172 bytes |
font_01_sfnt_off00007c52.bindf550325fe5c2ce8c9f5dca23fdb2b5214be84f8b378caed83e2c75c3c82503b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7C52 | 14532 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.