MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates a PDF redirector link to 'https://ttraff.cc/pify?keyword=alliance+data+systems+corporation+annual+report+2018', suggesting a phishing or malicious redirection attempt. The document body, though partially corrupted, contains text related to 'Alliance data systems corporation annual report 2018' and references 'wkhtmltopdf', indicating a potential lure. The presence of numerous Shopify URLs, while many are benign, contributes to the link farm characteristic.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=alliance+data+systems+corporation+annual+report+2018
- http://files.countryintheuk.com/uploads/1/3/1/3/131398461/a9eab4ddcb4fb.pdf
- http://buteta.suzannedemontignycounseling.com/uploads/1/3/2/6/132695615/rebedisuba_moduzokiwafar_pubujinipiguza.pdf
- http://tulepifar.myacexportfolio.com/uploads/1/3/1/4/131407005/segewaduvopi-xutiji.pdf
- http://files.nomadicbackpacker.com/uploads/1/3/1/3/131381976/jozonejajojim.pdf
- http://files.gforceunlimited.com/uploads/1/3/1/6/131606056/9376217.pdf
- https://cdn.shopify.com/s/files/1/0429/9866/1279/files/41110204838.pdf
- https://cdn.shopify.com/s/files/1/0432/7286/3904/files/pneumatic_actuator_working_principle.pdf
- https://cdn.shopify.com/s/files/1/0435/2930/6263/files/38579816934.pdf
- https://cdn.shopify.com/s/files/1/0434/9100/0472/files/minecraft_classes_server.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kubogofire.pdf
- https://cdn.shopify.com/s/files/1/0428/3393/6547/files/97792226882.pdf
- https://cdn.shopify.com/s/files/1/0432/6244/3683/files/74683106861.pdf
- https://cdn.shopify.com/s/files/1/0439/2806/0059/files/ford_f150_owners_manual.pdf
- https://cdn.shopify.com/s/files/1/0434/5649/5783/files/62159835193.pdf
- https://cdn.shopify.com/s/files/1/0431/9690/7678/files/rules_of_chess_game.pdf
- https://cdn.shopify.com/s/files/1/0427/7580/6119/files/don_t_rock_the_jukebox_chords.pdf
- https://cdn.shopify.com/s/files/1/0435/1708/3802/files/sapuviposuxilen.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000886c.binf588112c7928eaee24f60651155c9d2db1ac4bb60657693aa8d287a70061150a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x886C | 5828 bytes |
font_01_sfnt_off00009c34.bin39482708618fdedc4baa658b0867c4827b5f6e03ab4375e416a4ae5bf595c739 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9C34 | 15328 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.