MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link pointing to ttraff.ru. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for 'Mysqldb for windows'. The presence of a download button heuristic further supports the social engineering aspect of this attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=mysqldb+for+windows
- http://files.teakfurnituresudbury.com/uploads/1/3/2/3/132302871/nogetude-samejegiw-marag.pdf
- http://files.merebrookllc.com/uploads/1/3/1/3/131383251/ruvatoke_sokirijibe_roxiwogam.pdf
- http://files.baysideoakland.com/uploads/1/3/2/6/132695887/79653d63.pdf
- http://files.thistleandivory.com/uploads/1/3/2/6/132681928/7f541794134d.pdf
- https://cdn.shopify.com/s/files/1/0439/5764/9566/files/62965172438.pdf
- https://cdn.shopify.com/s/files/1/0430/0757/4179/files/dimox.pdf
- https://cdn.shopify.com/s/files/1/0429/7824/6815/files/14099818605.pdf
- https://cdn.shopify.com/s/files/1/0434/9041/0658/files/83533362978.pdf
- https://cdn.shopify.com/s/files/1/0431/6656/4507/files/jefufiwut.pdf
- https://cdn.shopify.com/s/files/1/0427/7963/9967/files/95270780462.pdf
- https://cdn.shopify.com/s/files/1/0427/6381/3020/files/lewoxenuwesavuraves.pdf
- https://cdn.shopify.com/s/files/1/0434/2287/5800/files/gexupubudalasolutozased.pdf
- https://cdn.shopify.com/s/files/1/0428/8384/2215/files/56166855712.pdf
- https://cdn.shopify.com/s/files/1/0434/0632/7959/files/50743909139.pdf
- https://cdn.shopify.com/s/files/1/0430/6773/6225/files/fumelewuxobadanuwagedev.pdf
- https://cdn.shopify.com/s/files/1/0428/0342/9535/files/30824247688.pdf
- https://cdn.shopify.com/s/files/1/0435/9385/9231/files/zosusivadawutor.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005f20.bin6f310923a2fe5520a923e0940f8b8001b78d895f5b555ec7b6d1afcf8ec3bc5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F20 | 5156 bytes |
font_01_sfnt_off000070d7.bindd9d108f441db087afe6faceac03434bcd64dd95e733eed96db0d1008051c5fd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x70D7 | 9828 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.