MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
T1059.003 Windows Command Shell
The PDF contains a malicious redirector link disguised as a free software activation code, which is a common lure for phishing or malware delivery. The document body also contains instructions to copy/paste content into a shell, indicating a potential command execution attempt. The presence of numerous embedded links, many pointing to Shopify domains, suggests a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=activation+code+autocad+2013+free
- http://pupov.theoffbeattraveler.com/uploads/1/3/1/4/131483281/1667265.pdf
- http://files.febondicatering.com/uploads/1/3/1/4/131438177/f50de0999c07.pdf
- http://files.bonneygirlphotography.com/uploads/1/3/2/6/132681204/sapoxorufewodod.pdf
- http://files.aginestra-design.com/uploads/1/3/0/8/130814492/fibobutimudopu.pdf
- https://cdn.shopify.com/s/files/1/0435/2288/3735/files/ceh_v9_certified_ethical_hacker_version_9_study_guide.pdf
- https://cdn.shopify.com/s/files/1/0450/9207/7731/files/39039286138.pdf
- https://cdn.shopify.com/s/files/1/0429/1851/0745/files/15598178794.pdf
- https://cdn.shopify.com/s/files/1/0436/4229/0336/files/kajexapasepalebasez.pdf
- https://cdn.shopify.com/s/files/1/0433/6841/5400/files/31986697930.pdf
- https://cdn.shopify.com/s/files/1/0429/7841/0655/files/20905235223.pdf
- https://cdn.shopify.com/s/files/1/0427/8000/0423/files/23965557412.pdf
- https://cdn.shopify.com/s/files/1/0427/3248/6823/files/namiwonironozal.pdf
- https://cdn.shopify.com/s/files/1/0429/4233/3087/files/30538142426.pdf
- https://cdn.shopify.com/s/files/1/0434/7248/6564/files/winning_eleven_brasileiro_2005_ps1.pdf
- https://cdn.shopify.com/s/files/1/0440/5651/0616/files/43233798208.pdf
- https://cdn.shopify.com/s/files/1/0437/7139/6257/files/jasmine-_reporters_protractor_example.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006874.binfedfb61c7e75c8aeee7193238cd5f5e6c1c425110ab0bbb90c99140eb23bac51 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6874 | 5344 bytes |
font_01_sfnt_off00007ab9.bin86496e434bda43344f059aed2f96f3164006f18a03ba06fc83dc390180cd23e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7AB9 | 14600 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.