MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a significant number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One critical heuristic firing indicates a link to a known malicious redirector at ttraff.com. The document body, though heavily obfuscated, contains the same malicious URL, suggesting the primary intent is to redirect the user to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=bubble+bobble+memories+apk
- http://files.the-green-school.org/uploads/1/3/2/7/132712373/2755378.pdf
- http://files.kbassormt.ca/uploads/1/3/1/3/131381480/madosaside.pdf
- http://files.hicsa.org/uploads/1/3/1/0/131071072/xogutefu-nesovevevini-kadelize-wijopoj.pdf
- http://files.ballroom-blitz.com/uploads/1/3/1/4/131452867/luvefaxubog.pdf
- http://files.shunsart.com/uploads/1/3/0/7/130775921/ab0820e8bec20.pdf
- https://cdn.shopify.com/s/files/1/0429/7388/8671/files/viragumibowegerom.pdf
- https://cdn.shopify.com/s/files/1/0464/1344/7336/files/tawuwovaleruwalavifatefik.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73470001672.pdf
- https://cdn.shopify.com/s/files/1/0428/6890/0006/files/bemuwuruwezazox.pdf
- https://cdn.shopify.com/s/files/1/0440/9815/8744/files/846466214.pdf
- https://cdn.shopify.com/s/files/1/0428/7922/1927/files/mobutotuvunojedajifun.pdf
- https://cdn.shopify.com/s/files/1/0434/5063/0296/files/wotosewatojifututebu.pdf
- https://cdn.shopify.com/s/files/1/0433/5593/0783/files/7664683219.pdf
- https://cdn.shopify.com/s/files/1/0438/2998/5430/files/gijobutimuzefozudotara.pdf
- https://cdn.shopify.com/s/files/1/0427/6961/2966/files/gurren_lagann_episode_6_uncut.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006853.bin83fc83a3b7a5ecb3d0c0d7234f66daa8cc2a2a0a95478dd68c0577bfe4cac381 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6853 | 4912 bytes |
font_01_sfnt_off000078f8.bin5c0e874dd76beffd31bd4868d82f491b3cadead12aea739412578b7d5b5e4a15 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x78F8 | 8536 bytes |
font_02_sfnt_off00008ff2.bindb501b10b00b8086b381105629b83a2bc1b36d712182d9fd86f648fe49cf1748 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FF2 | 15252 bytes |
font_03_sfnt_off0000bf2a.bin7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBF2A | 4324 bytes |
font_04_sfnt_off0000cd2b.bin2771d55b51ff65a7fb5333b85693b8a431ccd293351b0d422a219fa066fe951b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCD2B | 4596 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.