MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this, pointing to 'https://ttraff.ru/pify?keyword=ielts+recent+actual+test+vol+2+pdf'. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic suggests a social engineering lure to trick users into clicking the malicious link, likely to download a secondary payload or redirect to a phishing site. The document body contains garbled text but also includes the malicious URL.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=ielts+recent+actual+test+vol+2+pdf
- http://files.kennethvisionmedia.com/uploads/1/3/1/4/131437657/9d32883b1a8.pdf
- http://files.allsaintssjvcomputerlab.com/uploads/1/3/2/7/132741225/wexifudapixovuneso.pdf
- http://files.psychicmediumjudilynch.com/uploads/1/3/1/4/131437924/2148894.pdf
- http://galoke.maplepta.com/uploads/1/3/1/4/131483083/rixiraroz_namarumom_movidoxowinoti.pdf
- https://cdn.shopify.com/s/files/1/0429/2660/4447/files/xikelokareto.pdf
- https://cdn.shopify.com/s/files/1/0434/6665/3858/files/zybes_price_guide.pdf
- https://cdn.shopify.com/s/files/1/0429/7955/7535/files/72973487239.pdf
- https://cdn.shopify.com/s/files/1/0433/8732/2522/files/60508005026.pdf
- https://cdn.shopify.com/s/files/1/0432/7358/4793/files/atv_bush_hog.pdf
- https://cdn.shopify.com/s/files/1/0427/5883/2294/files/rekedifijosuwozep.pdf
- https://cdn.shopify.com/s/files/1/0432/7990/9017/files/buziposewunarig.pdf
- https://cdn.shopify.com/s/files/1/0431/3533/6605/files/loturelewijozoru.pdf
- https://cdn.shopify.com/s/files/1/0433/5878/1590/files/14606143483.pdf
- https://cdn.shopify.com/s/files/1/0429/6956/3290/files/50839037417.pdf
- https://cdn.shopify.com/s/files/1/0436/1319/2349/files/73455448833.pdf
- https://cdn.shopify.com/s/files/1/0431/0342/0570/files/57462827691.pdf
- https://cdn.shopify.com/s/files/1/0431/2304/8609/files/87402864100.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005876.binf58391e80d00d3f1d0df5e5c333d18b7cea4065519fe22206d94c44ea77faaf3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5876 | 5280 bytes |
font_01_sfnt_off00006a86.bine8280676a83e1339e8ee2e4a5b8853042770038c889d9f5c44968ca46e94ee63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A86 | 10052 bytes |
font_02_sfnt_off00008d14.binadcf01907b0de346ca81bc3190535c37dabb1657ad34b3f58160767d3d46e8e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D14 | 16156 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.