MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=www+mitelcel+com'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same URL, reinforcing the lure. The SE_INVOICE_LURE heuristic suggests a pretext of payment or invoice, intended to trick the user into clicking the malicious link.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=www+mitelcel+com
- http://files.fishersenglishfun4all.com/uploads/1/3/0/9/130969939/boxifolopa.pdf
- http://files.natalie-coppola.com/uploads/1/3/0/9/130969440/6e28f16e83e0e4.pdf
- http://files.irmacalabrese.com/uploads/1/3/1/4/131453698/zesupar_wezukekekir_lunefujemikibag.pdf
- https://cdn.shopify.com/s/files/1/0428/1679/8883/files/13967377421.pdf
- https://cdn.shopify.com/s/files/1/0431/4929/5770/files/fogevoxava.pdf
- https://cdn.shopify.com/s/files/1/0430/7684/5728/files/65724696763.pdf
- https://cdn.shopify.com/s/files/1/0435/7373/9675/files/3797354234.pdf
- https://cdn.shopify.com/s/files/1/0434/2503/8497/files/77625705350.pdf
- https://cdn.shopify.com/s/files/1/0432/5936/3488/files/nomarasubirisobimizebu.pdf
- https://cdn.shopify.com/s/files/1/0432/1142/3902/files/17747558517.pdf
- https://cdn.shopify.com/s/files/1/0431/6554/8708/files/43527873587.pdf
- https://cdn.shopify.com/s/files/1/0435/3903/8360/files/58778817912.pdf
- https://cdn.shopify.com/s/files/1/0431/0073/3596/files/fajatotarebenabavuwideget.pdf
- https://cdn.shopify.com/s/files/1/0428/8489/0790/files/37583213407.pdf
- https://cdn.shopify.com/s/files/1/0433/6759/6184/files/29620676436.pdf
- https://cdn.shopify.com/s/files/1/0431/9277/8912/files/loxexanagep.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000619d.bin59ef52b433fb1eff88bb9ded6842f417682b901409f8c8998892c0f78ec7d5b3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x619D | 4568 bytes |
font_01_sfnt_off00007132.binb8fdea1975b01decb586b12666cdb795c3223f5492ab67c3a1ebc52104e6634a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7132 | 15136 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.