Malware Insights
The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or redirection scheme. One critical heuristic identified a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=adobe+acrobat+ocr'. The document body, though heavily obfuscated, contains references to 'Adobe acrobat ocr' and the tool 'wkhtmltopdf', indicating a potential lure to trick users into clicking the malicious link. The presence of numerous PDF links and a malicious redirector strongly suggests a phishing or redirection attack.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=adobe+acrobat+ocr
- http://files.tinsley-chiropractic.com/uploads/1/3/1/3/131398219/d5eb1702c9e3e.pdf
- http://files.r2mechanicalinc.com/uploads/1/3/1/0/131070911/vaduxopif.pdf
- http://files.mycupidclothing.com/uploads/1/3/0/7/130775556/8720055.pdf
- https://cdn.shopify.com/s/files/1/0432/7142/2102/files/rujidubudovoxita.pdf
- https://cdn.shopify.com/s/files/1/0433/3862/9270/files/44429965762.pdf
- https://cdn.shopify.com/s/files/1/0428/9665/4489/files/chemical_process_safety_3rd_edition.pdf
- https://cdn.shopify.com/s/files/1/0427/4615/1078/files/fatibediniwiworuxiro.pdf
- https://cdn.shopify.com/s/files/1/0431/7121/7572/files/raxonowiwutafag.pdf
- https://cdn.shopify.com/s/files/1/0433/6674/4216/files/43567236414.pdf
- https://cdn.shopify.com/s/files/1/0427/9074/8316/files/zapapupuwilexomer.pdf
- https://cdn.shopify.com/s/files/1/0429/8512/8099/files/32936616883.pdf
- https://cdn.shopify.com/s/files/1/0432/1397/9812/files/90629120859.pdf
- https://cdn.shopify.com/s/files/1/0435/4765/6343/files/fepuralepo.pdf
- https://cdn.shopify.com/s/files/1/0447/0787/2921/files/warhammer_40k_fire_warrior.pdf
- https://cdn.shopify.com/s/files/1/0434/0216/6428/files/67995606692.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000724e.bin3c85df728a9e9a33a03df11c69418fec132489099d0813ea5e7977d5aca6fb5d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x724E | 4484 bytes |
font_01_sfnt_off00008198.bin5e8a5ee6081a134259dab581e0546d37202642dd0088ca2adc2570c21f839467 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8198 | 10460 bytes |
font_02_sfnt_off0000a531.bin4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA531 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.