MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a link to a known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=ajax+call+php'. Another critical heuristic identified a large PDF link farm, with the first URL pointing to 'https://cdn.shopify.com/s/files/1/0428/9875/1641/files/jegizuwaropafutozu.pdf'. The document body contains garbled text but also includes the malicious redirector URL and several benign-looking Shopify URLs, suggesting a lure to external content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=ajax+call+php
- http://files.designamanila.com/uploads/1/3/2/6/132681698/lezuledowe_zejojok_pizunojuvunuj_roxewodogi.pdf
- http://files.eastsideserves.org/uploads/1/3/1/4/131483955/soxuwimixapus.pdf
- http://files.permittechnation.org/uploads/1/3/0/8/130813448/dosore.pdf
- http://files.swimbridgepreschool.com/uploads/1/3/2/7/132712000/tazafilur.pdf
- http://files.organizedphotos.com/uploads/1/3/1/8/131871740/3286342.pdf
- https://cdn.shopify.com/s/files/1/0428/9875/1641/files/jegizuwaropafutozu.pdf
- https://cdn.shopify.com/s/files/1/0434/3198/5309/files/25711593610.pdf
- https://cdn.shopify.com/s/files/1/0433/0723/7531/files/somitenugoxajamox.pdf
- https://cdn.shopify.com/s/files/1/0429/0304/4263/files/67457331405.pdf
- https://cdn.shopify.com/s/files/1/0429/4233/3087/files/zevarotipivelesirep.pdf
- https://cdn.shopify.com/s/files/1/0437/6562/9077/files/pujonudegajokopaxejaga.pdf
- https://cdn.shopify.com/s/files/1/0431/8468/5224/files/pomidedetutodijufisele.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lezoxaxus.pdf
- https://cdn.shopify.com/s/files/1/0436/1791/0944/files/zelevaxazukosexutopagamu.pdf
- https://cdn.shopify.com/s/files/1/0433/0638/5558/files/81952769424.pdf
- https://cdn.shopify.com/s/files/1/0429/0835/2679/files/62718134422.pdf
- https://cdn.shopify.com/s/files/1/0432/0703/2990/files/gilorisunepar.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007005.bin667d9c4ae12693e800b608aa4ca3c5fb347bbfa4d5ae8b548c24807561fa5525 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7005 | 4208 bytes |
font_01_sfnt_off00007e51.bina4ff23ec5b0cee7f7f7fe68c93388aa8718051ec2d37a1abcae82b315be2afd6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E51 | 10480 bytes |
font_02_sfnt_off0000a221.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA221 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.