MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The document body, though heavily obfuscated, contains the text "Potential form kaimasu" and the malicious URL https://ttraff.com/pify?keyword=potential+form+kaimasu. This suggests a phishing or scam attempt to redirect the user to malicious content. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=potential+form+kaimasu
- http://files.livebeyondthelens.com/uploads/1/3/1/4/131452836/4022694.pdf
- https://cdn.shopify.com/s/files/1/0431/2901/2381/files/46816690612.pdf
- https://cdn.shopify.com/s/files/1/0428/9763/7535/files/73618745998.pdf
- https://cdn.shopify.com/s/files/1/0433/9721/8471/files/log4j_maven_dependency.pdf
- https://cdn.shopify.com/s/files/1/0431/6784/2459/files/cateterismo_vesical_femenino.pdf
- https://cdn.shopify.com/s/files/1/0439/5896/0286/files/aromatic_hydrocarbons_chemguide.pdf
- https://cdn.shopify.com/s/files/1/0439/7583/5806/files/adjoining_precincts_form.pdf
- https://cdn.shopify.com/s/files/1/0436/8252/9445/files/luxiwufa.pdf
- https://cdn.shopify.com/s/files/1/0434/9437/5576/files/countdown_job_application_form.pdf
- https://cdn.shopify.com/s/files/1/0431/3799/0805/files/73238126408.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/safuginogatujato.pdf
- https://cdn.shopify.com/s/files/1/0434/5928/1061/files/vawedinel.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_007_off0000d3b1.bin2df47511c410956a24fb49494866a39d684d78e7e7741c117662370cc9d7a50b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xD3B1 | 18480 bytes |
font_00_sfnt_off00005d5a.bin718f29d35fe6678a608f65064f0c81c8c4692421311531f1d4d5275a73f7a89c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D5A | 7808 bytes |
font_01_sfnt_off000077d0.bin3fb5ff23f0875753ae00ee49664393fc8528830a12cec9049fd9fb67c7c8ef90 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x77D0 | 4860 bytes |
font_02_sfnt_off0000882b.bina20778ffb9ebf7a1880647bb65e38b149a0a661c86f0bc592edd4a65f4320911 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x882B | 7004 bytes |
font_03_sfnt_off00009b1d.bind171260a64fec5fa325153b3d630c9b71e6a21f10721513f3ec580d13bdb6971 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9B1D | 18776 bytes |
font_05_sfnt_off0000f13e.bin05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF13E | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.