MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains embedded JavaScript and multiple external links, including a malicious redirector. The document body and heuristics strongly indicate an advance-fee scam, luring the user with a fake guide and a download button to a malicious redirector. The redirector likely leads to further stages of the scam or malware delivery.
Heuristics 6
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=ibps+guide+editorial+july+2019
- http://bigev.incolorartgallery.com/uploads/1/3/1/3/131384771/dekewiwodutawev-tenumino-diwoxewonozomum-tiguputa.pdf
- http://files.melissafloresdesigns.com/uploads/1/3/0/8/130814283/pusuxokakizadusirav.pdf
- http://javivo.stampgeneral.com/uploads/1/3/0/7/130775735/ec01e5.pdf
- https://cdn.shopify.com/s/files/1/0431/6623/6834/files/bupozemid.pdf
- https://cdn.shopify.com/s/files/1/0437/3161/5909/files/29439383024.pdf
- https://cdn.shopify.com/s/files/1/0438/2107/2541/files/7561005735.pdf
- https://cdn.shopify.com/s/files/1/0454/7398/8774/files/81952913637.pdf
- https://cdn.shopify.com/s/files/1/0432/5654/5433/files/linfoma_de_burkitt_y_vih.pdf
- https://cdn.shopify.com/s/files/1/0430/5109/0071/files/kukekuwekewakeme.pdf
- https://cdn.shopify.com/s/files/1/0432/2738/1920/files/furomazoraw.pdf
- https://cdn.shopify.com/s/files/1/0428/7689/5398/files/90640886332.pdf
- https://cdn.shopify.com/s/files/1/0430/4456/9242/files/rabujo.pdf
- https://cdn.shopify.com/s/files/1/0435/2288/3735/files/vepabedabanezizodalisu.pdf
- https://cdn.shopify.com/s/files/1/0433/4891/8440/files/86954158828.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a92.bin877f6dc49a618c7ea04173959a4c5ee015fdbf0dbd4907a4d3592e82233eaf8a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A92 | 5864 bytes |
font_01_sfnt_off00007e95.bin316a3e18445b4097cf19c2f6d89130443d42a2bff174c58e05e715f90129c9f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E95 | 10588 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.