MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 Command and Scripting Interpreter: PowerShell
The PDF contains a mass external link farm, with a critical heuristic firing for a malicious redirector. The primary malicious URL, 'https://ttraff.com/pify?keyword=abraham+joshua+heschel+the+prophets+pdf', is designed to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains references to the malicious URL and other URLs hosted on Shopify, suggesting a coordinated effort to distribute malicious links under the guise of academic or informational PDFs.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=abraham+joshua+heschel+the+prophets+pdf
- http://files.stonerhospitality.com/uploads/1/3/0/7/130738714/vifigowisipi_vowiput_jaredesu.pdf
- http://files.fancyflipevents.com/uploads/1/3/0/8/130815137/2578968.pdf
- http://vekut.troyidaho.net/uploads/1/3/0/9/130969754/torewukelewix.pdf
- http://dadinusi.whatsgoingonatpoundlane2020.com/uploads/1/3/1/4/131454065/25e69.pdf
- https://cdn.shopify.com/s/files/1/0430/6062/5562/files/nuevos_anticoagulantes_orales_2020.pdf
- https://cdn.shopify.com/s/files/1/0430/2422/0321/files/begodujexuwow.pdf
- https://cdn.shopify.com/s/files/1/0447/5761/4741/files/relation_between_cdf_and.pdf
- https://cdn.shopify.com/s/files/1/0437/0586/0248/files/pdf_to_word_ocr_thai.pdf
- https://cdn.shopify.com/s/files/1/0430/9853/8151/files/19019607325.pdf
- https://cdn.shopify.com/s/files/1/0430/6649/1042/files/likovijejuvupirezu.pdf
- https://cdn.shopify.com/s/files/1/0436/0486/9277/files/14934928142.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85947343199.pdf
- https://cdn.shopify.com/s/files/1/0433/5704/4904/files/7775897060.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/49726552648.pdf
- https://cdn.shopify.com/s/files/1/0431/4837/8266/files/barcode_generator_php.pdf
- https://cdn.shopify.com/s/files/1/0434/0508/2776/files/47354561179.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000087d8.bin6ddb54c18dec951acf03b4f3050c359f9e1c73d74a9b763a959c7cdfaaea138a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x87D8 | 5600 bytes |
font_01_sfnt_off00009aba.bin2908a61b0a521a190f60a259b5220f3a6b2486b38b12d679514a992a3ba942d7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9ABA | 10076 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.