MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=narasimha+movie+songs'. This URL is likely used to direct users to a malicious site. The document body, though heavily obfuscated, contains text related to 'Narasimha movie songs' and the wkhtmltopdf tool, suggesting a lure to disguise the malicious intent. The presence of numerous embedded links, many hosted on Shopify, further indicates a link farm or redirection strategy.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=narasimha+movie+songs
- http://files.whitewatercottages.com/uploads/1/3/1/8/131856456/kexaxaru-woroji.pdf
- http://files.coloradocattlewomen.com/uploads/1/3/1/4/131437123/fedew_sepokasiz_liweli.pdf
- http://dadejiv.trevors-trains.com/uploads/1/3/1/3/131379021/witotaloro-viporonafan-dukoruw-mokufe.pdf
- https://cdn.shopify.com/s/files/1/0433/9492/4694/files/51566557455.pdf
- https://cdn.shopify.com/s/files/1/0434/9696/4261/files/82927827507.pdf
- https://cdn.shopify.com/s/files/1/0435/6112/4008/files/what_does_ctrl_w_do.pdf
- https://cdn.shopify.com/s/files/1/0440/7712/1686/files/john_deere_lx178_parts.pdf
- https://cdn.shopify.com/s/files/1/0437/1621/4936/files/53356703050.pdf
- https://cdn.shopify.com/s/files/1/0434/1710/8642/files/vsco_full_android_apk.pdf
- https://cdn.shopify.com/s/files/1/0432/0778/6651/files/99897755936.pdf
- https://cdn.shopify.com/s/files/1/0431/8917/4432/files/kelekugem.pdf
- https://cdn.shopify.com/s/files/1/0432/7899/1520/files/77210518060.pdf
- https://cdn.shopify.com/s/files/1/0431/4310/2613/files/37144474034.pdf
- https://cdn.shopify.com/s/files/1/0436/7237/1350/files/jejobixenon.pdf
- https://cdn.shopify.com/s/files/1/0430/5915/1009/files/26914517872.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000af23.bin7fd02565f76d173d6804453b21365613e0c26ee9082e3285ca7ffd9b2fa4d6a0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAF23 | 4804 bytes |
font_01_sfnt_off0000bf45.binc527cf8bbf2e625709c7cb17927dc0c81a3d85e0645fad5c1ead646a8c70d102 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBF45 | 4356 bytes |
font_02_sfnt_off0000ce46.binf526def943671721c8c3bcc2249debb85e192669986e1983e55cc888ab47ee1c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCE46 | 10400 bytes |
font_03_sfnt_off0000f22d.bin4bd16c8abd39118228c1571b0005d4eb3b3e943e572fd92a2a80cfcb7b749349 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF22D | 16164 bytes |
font_04_sfnt_off00010742.binb50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10742 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.