MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous embedded links, with a critical heuristic identifying it as a PDF link farm. One of the primary links directs to a known malicious redirector service, 'ttraff.ru', which is likely used to obscure the ultimate malicious destination. The document body is heavily obfuscated and contains what appears to be a reconstructed URL, but it is too corrupted to be certain. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=audio+modification+library+android
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/35035436777.pdf
- https://cdn.shopify.com/s/files/1/0431/7013/6218/files/enchainement_d_accords_guitare_basse.pdf
- https://cdn.shopify.com/s/files/1/0431/8278/4676/files/66315590444.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gijamibumiji.pdf
- https://cdn.shopify.com/s/files/1/0433/0346/9221/files/51092837663.pdf
- https://static.usrfiles.com/ugd/0c8cc8_ee2dcc883cb84431aa3221cbcc85b490.pdf
- https://static.usrfiles.com/ugd/b8c837_6d963c41c3254c718a19e9826dba365e.pdf
- https://static.usrfiles.com/ugd/6290de_679bb910c1a1472bbdd8ee183413d085.pdf
- https://static.usrfiles.com/ugd/d1d005_0bb0dede37d24c618314070627efbbe7.pdf
- https://static.usrfiles.com/ugd/76b6de_4b8cb5f5a8124b998df1ef9c531b0cba.pdf
- https://cdn.shopify.com/s/files/1/0431/1865/7697/files/vuroli.pdf
- https://cdn.shopify.com/s/files/1/0465/2636/5854/files/pokemon_fireburn_rom_download.pdf
- https://cdn.shopify.com/s/files/1/0432/0568/9499/files/delegation_poker_cards.pdf
- https://cdn.shopify.com/s/files/1/0436/0686/8126/files/pdf_file_merger_chrome.pdf
- https://cdn.shopify.com/s/files/1/0431/2816/0413/files/muxogogosawogixapuwedipif.pdf
- https://cdn.shopify.com/s/files/1/0433/9603/8812/files/91083442716.pdf
- https://cdn.shopify.com/s/files/1/0429/2778/4099/files/97315594965.pdf
- https://cdn.shopify.com/s/files/1/0430/8933/0330/files/python_flask_logging.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/042
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008093.binadb83e344b652a73f8d56ff20567c1fdfbf1b5d2c94e8aaaeb228c122db13ff1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8093 | 5220 bytes |
font_01_sfnt_off00009246.bin1e09e5a580d9dc259b21d57dbbb3b587fa4f97a61ac4a9efc53ed9b5a6e4309d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9246 | 10384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.