MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wb?keyword=programming%20python%20powerful%20object-oriented%20programming%20pdf%20github'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one to 'https://cdn.shopify.com/s/files/1/0432/8249/7701/files/bennett_mechanical_comprehension_test.pdf'. The document body, though heavily obfuscated, contains these URLs, suggesting a lure to download or access external content which likely leads to malicious activity.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=programming%20python%20powerful%20object-oriented%20programming%20pdf%20github
- http://tofema.mccormickqwik.com/uploads/1/3/0/8/130814174/birige_lojiparorozafo_rufigom.pdf
- http://files.topstitchpro.com/uploads/1/3/1/3/131379894/37d1241e87b82.pdf
- http://files.billingspattern.com/uploads/1/3/1/3/131381675/pisusiv.pdf
- https://cdn.shopify.com/s/files/1/0432/8249/7701/files/bennett_mechanical_comprehension_test.pdf
- https://cdn.shopify.com/s/files/1/0431/2052/5476/files/10622672989.pdf
- https://cdn.shopify.com/s/files/1/0436/0595/0626/files/maxafizaroburefexevekepiz.pdf
- https://cdn.shopify.com/s/files/1/0432/0811/4340/files/83135345834.pdf
- https://cdn.shopify.com/s/files/1/0435/8144/0168/files/lojimuvuxokobe.pdf
- https://cdn.shopify.com/s/files/1/0433/4164/3928/files/15461348147.pdf
- https://cdn.shopify.com/s/files/1/0433/0507/4838/files/c_length_of_array.pdf
- https://cdn.shopify.com/s/files/1/0429/9964/4314/files/mupube.pdf
- https://cdn.shopify.com/s/files/1/0430/9755/5108/files/audi_a3_price_list.pdf
- https://cdn.shopify.com/s/files/1/0428/5913/5132/files/ziwenudisikexafawiwog.pdf
- https://cdn.shopify.com/s/files/1/0428/1185/0918/files/ximewoxuduluruwored.pdf
- https://cdn.shopify.com/s/files/1/0436/2177/7570/files/13535314543.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000069d6.bin71c8282a145ffa379de4d78a6837627b936494be37155eabd486619c9f22c720 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69D6 | 5832 bytes |
font_01_sfnt_off00007d92.bin596754f7f0cdd4a62fad5cc72fa96a5f46419518844f5abd6441c17e9b90002e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7D92 | 10904 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.