MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass of external links, many of which point to a redirector service (ttraff.cc) that is known to host malicious content. The document body, though heavily obfuscated, contains the URL that triggers the redirector, suggesting a lure for users seeking a specific PDF. The presence of numerous Shopify-hosted PDF links, some confirmed benign and others unknown, indicates a link farm strategy to improve search engine visibility for malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=oxford+picture+dictionary+pdf+free
- http://files.agentsreferralnetwork.com/uploads/1/3/1/4/131406843/jifekosuravuxatere.pdf
- http://files.yscprosthodontics.com/uploads/1/3/2/7/132741339/3813034.pdf
- http://zezef.cottonwoodcroft.com/uploads/1/3/0/7/130739415/edc5c2b010.pdf
- https://cdn.shopify.com/s/files/1/0432/2649/7182/files/bevatevuroniv.pdf
- https://cdn.shopify.com/s/files/1/0428/5058/2684/files/neet_2020_answer_key_aakash_with_solution.pdf
- https://cdn.shopify.com/s/files/1/0430/8297/3346/files/42589056367.pdf
- https://cdn.shopify.com/s/files/1/0430/5253/1869/files/poxivaketifanu.pdf
- https://cdn.shopify.com/s/files/1/0429/8211/3433/files/50862180091.pdf
- https://cdn.shopify.com/s/files/1/0435/7737/6936/files/kedubeb.pdf
- https://cdn.shopify.com/s/files/1/0428/8613/5961/files/steven_universe_episode_download.pdf
- https://cdn.shopify.com/s/files/1/0436/2112/2211/files/zalenulakelizisa.pdf
- https://cdn.shopify.com/s/files/1/0432/1725/6603/files/gavusulupomab.pdf
- https://cdn.shopify.com/s/files/1/0441/0189/4296/files/candidiasis_intestinal_tratamiento_medico.pdf
- https://cdn.shopify.com/s/files/1/0437/3794/0117/files/electrical_and_thermal_conductivity_of_metals.pdf
- https://cdn.shopify.com/s/files/1/0430/2657/9610/files/assembler_tutorial_deutsch.pdf
- https://cdn.shopify.com/s/files/1/0429/7211/9193/files/dadenizifirepusawonewara.pdf
- https://cdn.shopify.com/s/files/1/0432/1922/2687/files/sabuxometavomi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000063b5.bine803a73c451518e872e3956f87dd439821db1173e1032d12be42c6014d843031 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63B5 | 5136 bytes |
font_01_sfnt_off0000754b.bin245edb4b5a4f4c37d6af738369b468ec862e1d1f2d887bceec84cbc9c07af36f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x754B | 10672 bytes |
font_02_sfnt_off000099f9.bin49230a07578f2a0b108554ff1d47b1cb24b8f8081254bad551c0ce72ea05e0a5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x99F9 | 16544 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.