MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple embedded links, with one specifically pointing to a known malicious redirector. The document body also contains text that appears to be a lure for a password-protected archive, and a callback phone number lure. These elements suggest a phishing or scam campaign designed to trick the user into interacting with malicious links or providing sensitive information.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=blackberry+8900+os+6++link
- http://files.lvapparel.net/uploads/1/3/0/7/130738614/6039566.pdf
- http://piwuxefip.uncdf-a2f-kigoma.com/uploads/1/3/0/7/130776225/881982.pdf
- http://sobokasob.dosterleadershipconference.com/uploads/1/3/1/1/131164250/giwotu.pdf
- https://cdn.shopify.com/s/files/1/0432/1837/0728/files/48590151753.pdf
- https://cdn.shopify.com/s/files/1/0429/7955/7539/files/8047088669.pdf
- https://cdn.shopify.com/s/files/1/0437/6264/7191/files/binkw32._dll_for_sleeping_dogs_free.pdf
- https://cdn.shopify.com/s/files/1/0437/8735/4270/files/carson_dellosa_reading_comprehension_grade_5.pdf
- https://cdn.shopify.com/s/files/1/0430/1442/2677/files/fumutajadofokekonir.pdf
- https://cdn.shopify.com/s/files/1/0431/6538/4866/files/49232836543.pdf
- https://cdn.shopify.com/s/files/1/0430/1009/7313/files/87153488900.pdf
- https://cdn.shopify.com/s/files/1/0432/1637/1867/files/dapujiliduwemi.pdf
- https://cdn.shopify.com/s/files/1/0434/8333/2772/files/faxagiwizusikemekovi.pdf
- https://cdn.shopify.com/s/files/1/0439/0692/4712/files/31562071677.pdf
- https://cdn.shopify.com/s/files/1/0432/0365/7887/files/12177161450.pdf
- https://cdn.shopify.com/s/files/1/0431/6073/1803/files/91036361357.pdf
- https://cdn.shopify.com/s/files/1/0433/9512/1319/files/lajaso.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000aba0.bin67ebcc3b7f9a41e6f10a5824e759c09b47f1f86ffb0686d079e38caacc3d1baa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xABA0 | 5796 bytes |
font_01_sfnt_off0000bf65.bin93acf7283f1d7f6342bb41bff8813f8cd272af39821f6197864e7d274a4c68ed |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBF65 | 11448 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.