MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, directing users to 'https://ttraff.ru/pify?keyword=free++capleton+slew+dem'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body also contains a lure suggesting the user needs to install a browser extension or update to view content, which is a common social-engineering tactic. These elements indicate a likely phishing or malware delivery attempt.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=free++capleton+slew+dem
- http://files.deevinestudio.com.au/uploads/1/3/2/6/132695663/dixidujulezamom_nepupedisadaxo_zadesuwawora.pdf
- http://ziniveju.livingcolorfundraiser.com/uploads/1/3/0/8/130813780/fd253.pdf
- http://files.yiannchen.com/uploads/1/3/0/7/130739488/276e4.pdf
- http://vokijeka.georesource.co.uk/uploads/1/3/2/7/132740649/1371580.pdf
- http://files.marleysinternational.com/uploads/1/3/0/7/130775503/mepovijadazege.pdf
- https://cdn.shopify.com/s/files/1/0437/6576/0151/files/84286250079.pdf
- https://cdn.shopify.com/s/files/1/0431/0463/2992/files/ada_diabetes_espaol.pdf
- https://cdn.shopify.com/s/files/1/0433/5868/3294/files/miboxeguxubunavap.pdf
- https://cdn.shopify.com/s/files/1/0432/7096/3366/files/gigenotusixisadilefeluj.pdf
- https://cdn.shopify.com/s/files/1/0435/0833/4744/files/problemas_movimiento_rectilineo_uniforme.pdf
- https://cdn.shopify.com/s/files/1/0428/5631/7091/files/different_types_of_exception_in_java.pdf
- https://cdn.shopify.com/s/files/1/0434/1687/9271/files/9011483621.pdf
- https://cdn.shopify.com/s/files/1/0435/5827/3183/files/madasokojesorawun.pdf
- https://cdn.shopify.com/s/files/1/0434/4712/4130/files/unearthed_arcana_d_d_3._5.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004965.bin077197cbd132c0d2234dea83ebdff6477b35a59b0a0e7eb407012d4ef1145604 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4965 | 5264 bytes |
font_01_sfnt_off00005b3f.bin78489eeeae5238915ad4aa72f9acde50f7c88b95cf6d3966a4e02c0a8e750a3d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B3F | 10652 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.