MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a high number of embedded links, many pointing to Shopify domains, suggesting a link farm or redirection strategy. One critical heuristic identified a link to known malicious redirector infrastructure at 'ttraff.ru'. The document body, though heavily obfuscated, contains the same URL, indicating it's a primary lure. The presence of a 'download button' heuristic further supports a social engineering attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=bcdedit.+exe+for+xp
- http://gunuk.womens4miler.org/uploads/1/3/0/8/130815017/xetikozaji.pdf
- http://files.villatesoristjohn.com/uploads/1/3/0/7/130775834/9f58c0a1cd79.pdf
- http://files.lafermemn.com/uploads/1/3/1/3/131380345/5835066.pdf
- https://cdn.shopify.com/s/files/1/0437/8843/5613/files/56237610644.pdf
- https://cdn.shopify.com/s/files/1/0428/7001/4111/files/32792199635.pdf
- https://cdn.shopify.com/s/files/1/0434/3198/5309/files/12645308849.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/86477918810.pdf
- https://cdn.shopify.com/s/files/1/0427/5650/5756/files/14131217498.pdf
- https://cdn.shopify.com/s/files/1/0430/4230/8250/files/41968479007.pdf
- https://cdn.shopify.com/s/files/1/0432/2538/3073/files/84406673323.pdf
- https://cdn.shopify.com/s/files/1/0428/1712/6556/files/git_branch_name.pdf
- https://cdn.shopify.com/s/files/1/0430/7327/4018/files/bitegepofalekukija.pdf
- https://cdn.shopify.com/s/files/1/0428/8918/3398/files/52534073631.pdf
- https://cdn.shopify.com/s/files/1/0432/5608/6696/files/82635003424.pdf
- https://cdn.shopify.com/s/files/1/0440/7135/4533/files/cancionero_musica_catolica_acordes.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f9a.bin099c1db47766fcc8fab3aaa62fb7808bcd966a5072b903a92267c6fc162768c6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F9A | 4876 bytes |
font_01_sfnt_off0000804b.binc62c3ae3a4efa78b1c1d4027c21051c807b4b73cc248f84bdf5136c356dd986e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x804B | 11380 bytes |
font_02_sfnt_off0000a6c4.bin4a41d7e182d54c13fd0401492552211af2609381ae6f503edd12761a0a0b0f88 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA6C4 | 16484 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.