MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=vehicle+inspection+form+pdf+free'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, some hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL. The presence of a 'download button' heuristic further supports the lure mechanism.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=vehicle+inspection+form+pdf+free
- http://files.accruemineralsinc.com/uploads/1/3/2/8/132814168/wamukegam-desaruzu.pdf
- http://files.mingateachers.org/uploads/1/3/1/8/131871705/9215506.pdf
- http://files.brandjourno.com/uploads/1/3/0/8/130813054/pigedotipomisodam.pdf
- https://cdn.shopify.com/s/files/1/0427/5752/1574/files/xokuvulimatebibemomigesaz.pdf
- https://cdn.shopify.com/s/files/1/0431/3006/0955/files/gofivonefugasovavekupidil.pdf
- https://cdn.shopify.com/s/files/1/0434/0265/7957/files/tinkers_cold_blooded.pdf
- https://cdn.shopify.com/s/files/1/0433/0032/3478/files/nikeji.pdf
- https://cdn.shopify.com/s/files/1/0431/5506/2938/files/18783227683.pdf
- https://cdn.shopify.com/s/files/1/0431/7744/3483/files/buxaforabobaleluwelozepi.pdf
- https://cdn.shopify.com/s/files/1/0434/9932/3558/files/36517097123.pdf
- https://cdn.shopify.com/s/files/1/0428/2328/6940/files/80774917898.pdf
- https://cdn.shopify.com/s/files/1/0434/5593/8720/files/fufeguvuxipedifajoli.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69262577592.pdf
- https://cdn.shopify.com/s/files/1/0431/2920/8986/files/dujejatusizerit.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e79b.bin85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE79B | 2828 bytes |
font_01_sfnt_off0000f195.bin012e8711a626507ba834bbb42e88413e47afe33aaad3a881b54f93955d2591ac |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF195 | 4936 bytes |
font_02_sfnt_off0001022a.bin9158138e5b281c66844982582d70397bab1a87f19ee9590780ef11a7a2abd1c6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1022A | 10024 bytes |
font_03_sfnt_off00012481.binb50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12481 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.