MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a mass external link farm, with several links pointing to potentially malicious redirectors. One critical heuristic indicates a direct link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be a call-to-action, reinforcing the lure. The presence of numerous PDF links, many hosted on Shopify, suggests an attempt to disguise malicious content within seemingly legitimate documents.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=adb+wifi+android+studio+mac
- http://japaworiz.stmonicaschools.com/uploads/1/3/1/4/131437402/5479673.pdf
- http://tesuwo.randybaskerville.com/uploads/1/3/2/7/132740873/gifodituju.pdf
- http://files.naspain.com/uploads/1/3/1/4/131483108/fazaxusiko.pdf
- http://narezojog.wisdomcabbageinc.com/uploads/1/3/1/8/131856772/3fb075.pdf
- https://cdn.shopify.com/s/files/1/0432/4678/0579/files/unisa_application_appeal_form_2020.pdf
- https://cdn.shopify.com/s/files/1/0439/0669/5320/files/54457161696.pdf
- https://cdn.shopify.com/s/files/1/0435/9897/1038/files/71598371883.pdf
- https://cdn.shopify.com/s/files/1/0434/5063/0296/files/dobuwemaxigolatebipud.pdf
- https://cdn.shopify.com/s/files/1/0429/6127/2983/files/zamosizusarozajasejaxa.pdf
- https://cdn.shopify.com/s/files/1/0430/6799/8362/files/fobifan.pdf
- https://cdn.shopify.com/s/files/1/0434/6360/6422/files/70038178906.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/28821374719.pdf
- https://cdn.shopify.com/s/files/1/0436/8783/7849/files/solution_book_of_thomas_calculus_12th_edition.pdf
- https://cdn.shopify.com/s/files/1/0431/5096/6950/files/bajufeworub.pdf
- https://cdn.shopify.com/s/files/1/0433/7070/9150/files/46896446886.pdf
- https://cdn.shopify.com/s/files/1/0430/6403/3429/files/power_of_attorney_form_colorado.pdf
- https://cdn.shopify.com/s/files/1/0439/5932/0734/files/13099076240.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b24f.binbc2ae278905e5e9a48e7aa6f505829e2d2536e248eded1855c4ed508ee7f0b59 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB24F | 5356 bytes |
font_01_sfnt_off0000c47b.bin5706da485e3220eed99555c25c597742204d32bf235337c81b71e324d56e776a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC47B | 13936 bytes |
font_02_sfnt_off0000f0e9.bined45a24507f18daeaf6b6e9cac20235e9e43bed88bc2d44b7621eff085e31190 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0E9 | 16344 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.