MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a high number of embedded links, many pointing to a link farm hosted on cdn.shopify.com, which is a strong indicator of SEO poisoning or link farming for malicious redirection. One critical heuristic identified a link to a known malicious redirector, ttraff.cc. The document also provides password instructions, suggesting it's a lure to keep payloads encrypted until after gateway scanning. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=janapada+geethalu+songs++naa+songs
- http://files.suzannevyletel.com/uploads/1/3/0/7/130739633/lugotin_sizefis_metepubiwekas.pdf
- http://files.amycerickson.com/uploads/1/3/0/9/130969446/girufovekezeter_ledojiguje_zewakogirusopam_sokexolaxod.pdf
- http://files.groove-republic.com/uploads/1/3/0/7/130740211/8068419.pdf
- http://files.jordanmclayton.com/uploads/1/3/0/9/130969655/e4bff2a.pdf
- https://cdn.shopify.com/s/files/1/0430/5253/1869/files/92206752811.pdf
- https://cdn.shopify.com/s/files/1/0435/8881/2959/files/99737302849.pdf
- https://cdn.shopify.com/s/files/1/0431/2167/2356/files/pawoponanudotuserijat.pdf
- https://cdn.shopify.com/s/files/1/0432/4953/3088/files/61984075245.pdf
- https://cdn.shopify.com/s/files/1/0441/4029/8392/files/mivuvafaxufumogopa.pdf
- https://cdn.shopify.com/s/files/1/0430/1602/8309/files/nukega.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/welilavuruwad.pdf
- https://cdn.shopify.com/s/files/1/0427/7764/1116/files/metuvi.pdf
- https://cdn.shopify.com/s/files/1/0431/2979/8818/files/guzufarawamel.pdf
- https://cdn.shopify.com/s/files/1/0435/2393/2311/files/43196370733.pdf
- https://cdn.shopify.com/s/files/1/0429/6340/2905/files/99676798211.pdf
- https://cdn.shopify.com/s/files/1/0429/3469/8147/files/rikimasojetawizodaroj.pdf
- https://cdn.shopify.com/s/files/1/0428/1024/5286/files/54692249568.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005e81.bine31baafa6c8c40ffd46c98a224b9a4f47e90453557f1eb0f23919dbe68722a58 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5E81 | 4948 bytes |
font_01_sfnt_off00006f47.bin8e3f45399d90a018b6a6598fd2fb61465332a694cc7eec916069dd000f26e066 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F47 | 2452 bytes |
font_02_sfnt_off00007a2e.bind61215ea53dc0f59454da6b7aa15dbaa5dd8e9fd7670020b57f42db66761bc2e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7A2E | 14292 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.