Malware Insights
The PDF file contains a link to a known malicious redirector, ttraff.com, which is a strong indicator of malicious intent. The document body, though heavily obfuscated, contains text fragments related to 'Framelayout in xamarin android' and a URL that matches the malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms the link's malicious nature. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may attempt to execute commands, potentially via PowerShell, to further its malicious objectives. The 'SE_URGENCY_LURE' heuristic indicates a social engineering tactic to prompt immediate user action.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=framelayout+in+xamarin+android
- http://files.devitthouse.com/uploads/1/3/0/7/130776817/6003574.pdf
- http://files.gettysburgchambermusic.org/uploads/1/3/1/4/131483830/taxusubijazaxil.pdf
- http://files.digmycurlakitas.com/uploads/1/3/2/6/132681910/nifegotiso-fatusij.pdf
- https://cdn.shopify.com/s/files/1/0435/4749/2506/files/salelu.pdf
- https://cdn.shopify.com/s/files/1/0432/5192/5155/files/doputebufopepifo.pdf
- https://cdn.shopify.com/s/files/1/0432/6172/2788/files/zapixebaxerumotejoto.pdf
- https://cdn.shopify.com/s/files/1/0430/1216/1685/files/joint_venture_agreement_checklist.pdf
- https://cdn.shopify.com/s/files/1/0437/0127/2729/files/pte_academic_writing_practice_test.pdf
- https://cdn.shopify.com/s/files/1/0436/9799/5944/files/bupujekuwetaveva.pdf
- https://cdn.shopify.com/s/files/1/0427/8065/5775/files/wowonowafi.pdf
- https://cdn.shopify.com/s/files/1/0433/0799/1208/files/18163269112.pdf
- https://cdn.shopify.com/s/files/1/0433/9436/7649/files/texaponekiv.pdf
- https://cdn.shopify.com/s/files/1/0434/4017/7317/files/savopetug.pdf
- https://cdn.shopify.com/s/files/1/0430/0426/4602/files/wordpress_get_blog_url.pdf
- https://cdn.shopify.com/s/files/1/0430/6052/7265/files/zifafuwuf.pdf
- https://cdn.shopify.com/s/files/1/0431/8189/9944/files/25253281436.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0002245d.bin144ab5bccd03dda4e6f12a7147079c1511fbb43c45a1dc593b5ee453ca036f2f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2245D | 4916 bytes |
font_01_sfnt_off00023508.bineef8b089fce0cfb778e6e4d78b4f02a80619c8b6ec81c04df75fb0096244dd3f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x23508 | 14248 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.