MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a prominent link that redirects to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to 'Agriculture books pdf in urdu' and the malicious URL itself, suggesting a lure. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, many pointing to benign Shopify URLs, likely part of a link farm to improve SEO for the malicious redirector. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=agriculture+books+pdf+in+urdu
- http://zisosip.triplecrownlacrosse.com/uploads/1/3/0/7/130776445/d0c20.pdf
- http://files.virtualqe.com/uploads/1/3/2/7/132710627/jikonurafumubapi.pdf
- http://files.fairyringschool.org/uploads/1/3/1/4/131437889/5486c9027237cdc.pdf
- https://cdn.shopify.com/s/files/1/0428/6906/3836/files/41029347574.pdf
- https://cdn.shopify.com/s/files/1/0435/9625/1304/files/36012994385.pdf
- https://cdn.shopify.com/s/files/1/0431/7655/8746/files/suzatikeziterisuwejibago.pdf
- https://cdn.shopify.com/s/files/1/0438/4777/8469/files/36922746906.pdf
- https://cdn.shopify.com/s/files/1/0428/9606/4671/files/tuwanibolibowojulamozor.pdf
- https://cdn.shopify.com/s/files/1/0440/7004/3813/files/8882257390.pdf
- https://cdn.shopify.com/s/files/1/0432/6332/8411/files/22587118737.pdf
- https://cdn.shopify.com/s/files/1/0434/8254/6341/files/99145322597.pdf
- https://cdn.shopify.com/s/files/1/0431/6083/0116/files/57520676158.pdf
- https://cdn.shopify.com/s/files/1/0431/0928/6050/files/open_veins_of_latin_america_download.pdf
- https://cdn.shopify.com/s/files/1/0434/4581/3413/files/88318470189.pdf
- https://cdn.shopify.com/s/files/1/0436/2862/6080/files/nunaxuragopixit.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00008c52.bin476ff1e23e08b8b81623350449d8e17c7ca49a4fadb6d493e958291bf100eba5 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8C52 | 22288 bytes |
font_00_sfnt_off000057d6.binece1efff3c9773f958753a16e41ed0daf79defb450fb0d6b4b6456cce748be64 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x57D6 | 5308 bytes |
font_01_sfnt_off000069ef.bine911e70554f5b453a31cdb2bd9bce10b2d21fb7ecb39e4427663e5fe451d7bc8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69EF | 10128 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.