MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One critical heuristic identified a link to a known malicious redirector, ttraff.ru, which is disguised as a tool to reduce PDF file size. The document body, though heavily obfuscated, contains this URL and other Shopify links, likely part of a link farm designed to improve search engine rankings for malicious content. The presence of a download button lure further supports the malicious intent.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=reduce+pdf+file+size+online+free+100kb
- https://cdn.shopify.com/s/files/1/0434/3798/1852/files/certificate_of_completion_and_compliance.pdf
- https://cdn.shopify.com/s/files/1/0437/2434/1400/files/xamomeminutijufafuw.pdf
- https://cdn.shopify.com/s/files/1/0435/9510/4418/files/outlook_for_mac_office_365.pdf
- https://static.usrfiles.com/ugd/b8c837_1f2e5d2036c146418585a26300aef531.pdf
- https://static.usrfiles.com/ugd/b8c837_26fae11a3472496fb78025c00affefdb.pdf
- https://static.usrfiles.com/ugd/5cf23b_0b299fc280f14595a3c9fce6c0e44c98.pdf
- https://static.usrfiles.com/ugd/87fdc7_2ff53d7bf3734b84b243701f48819145.pdf
- https://static.usrfiles.com/ugd/b8c837_834b4f043556456aaa3fd29d90dcb026.pdf
- https://static.usrfiles.com/ugd/b8c837_24eca2a73b324c8b913d0c713845b476.pdf
- https://static.usrfiles.com/ugd/5de1df_f9de57d318af4c1399257dedd5a2a75c.pdf
- https://static.usrfiles.com/ugd/34ec99_ed4ee98af95a46c6908b1b672570050a.pdf
- https://static.usrfiles.com/ugd/9ff9b8_7973d50acde8436f817485a5531bb8de.pdf
- https://static.usrfiles.com/ugd/9c43ec_7a7b93d369294bcd8186fa1c08a661ea.pdf
- https://static.usrfiles.com/ugd/b910ae_654a5499d5c74acf829c9f7984f361e5.pdf
- https://static.usrfiles.com/ugd/affb4a_06f52c6088cd4665ab60914aa4bb76b9.pdf
- https://static.usrfiles.com/ugd/b8c837_e3c088c13cb04a428c58dfef8b604f5f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005858.bin206f755e40a0145e6f5b93af838238812478d8fecd86c0b41faddb275ec2e020 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5858 | 5396 bytes |
font_01_sfnt_off00006ad6.bin288c2cea80a2f4fe07f489d2a382bf861c390bdd3dfca55127df83958428e433 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6AD6 | 10080 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.