MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, a technique often used for SEO link farms or to redirect users to malicious sites. One of the primary URLs, 'https://ttraff.ru/wix?keyword=baki+epis%25C3%25B3dio+27+anime', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other benign-looking PDFs hosted on static.usrfiles.com and cdn.shopify.com, suggesting a coordinated effort to mask malicious activity.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=baki+epis%25C3%25B3dio+27+anime
- https://static.usrfiles.com/ugd/b8c837_657c74f870144bc7a1008b0e8912f42c.pdf
- https://static.usrfiles.com/ugd/7f46b5_0095a46e647b4c089258f647233338d9.pdf
- https://static.usrfiles.com/ugd/b8c837_a133d983df2b4d1285e1179212e4a39a.pdf
- https://static.usrfiles.com/ugd/b8c837_88df5c8725814e8daedac952781e8b81.pdf
- https://cdn.shopify.com/s/files/1/0435/5211/2804/files/developing_the_public_relations_campaign.pdf
- https://cdn.shopify.com/s/files/1/0439/8442/1022/files/aberdeenshire_council_school_holidays.pdf
- https://cdn.shopify.com/s/files/1/0434/1907/4722/files/78836061085.pdf
- https://cdn.shopify.com/s/files/1/0431/8085/1362/files/vatican_city_history.pdf
- https://cdn.shopify.com/s/files/1/0431/9336/8725/files/jasujupeforozedad.pdf
- https://static.usrfiles.com/ugd/b8c837_4a9d8c3bd2f34959b9573af6e6a70b68.pdf
- https://static.usrfiles.com/ugd/7f46b5_bc1340b218004f8da0ef2fa7fa943eec.pdf
- https://static.usrfiles.com/ugd/accd1f_40e051a75cbb4ce98eb293d9cf98c953.pdf
- https://static.usrfiles.com/ugd/b8c837_e17f5444ee2445dbbd3d9962f5a52bed.pdf
- https://cdn.shopify.com/s/files/1/0437/4953/9989/files/taxegexigunoragunejeg.pdf
- https://cdn.shopify.com/s/files/1/0429/8938/7939/files/60520743955.pdf
- https://cdn.shopify.com/s/files/1/0431/4624/8358/files/xixuvavukipuzas.pdf
- https://cdn.shopify.com/s/files/1/0434/3663/8360/files/routing_number_065000090.pdf
- https://cdn.shopify.com/s/files/1/0431/1298/8821/files/7950393062.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000651c.binb27530e0a238cd52191ec3f3c666d67b84236b48d6fddbf0e8b2bebcc72ec197 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x651C | 5436 bytes |
font_01_sfnt_off00007750.bin0b420dfe7f8a941382ef50c66846cee565d7c1600f187c75f7db266dc07b3763 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7750 | 12344 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.