MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to seemingly benign Shopify URLs, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the target URL and keywords suggesting a lure for a dictionary PDF. The presence of numerous external links suggests a link farm or SEO poisoning tactic to distribute the malicious URL.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=english+to+spanish+dictionary+pdf+download
- http://files.nfcareers.com/uploads/1/3/1/6/131606349/b208fa5a.pdf
- http://nelakoda.chrisministries.com/uploads/1/3/2/6/132681579/vopupavaxivoguduvi.pdf
- http://files.ccmooresville.com/uploads/1/3/1/3/131381819/tanupip.pdf
- http://tavajuna.makeitrainbitcoins.com/uploads/1/3/0/7/130740025/5120497.pdf
- http://files.heartridgeministries.com/uploads/1/3/1/3/131398195/losoxi.pdf
- https://cdn.shopify.com/s/files/1/0431/4421/6727/files/blackout_text_adobe_reader.pdf
- https://cdn.shopify.com/s/files/1/0430/9788/2773/files/98069655896.pdf
- https://cdn.shopify.com/s/files/1/0430/2890/6138/files/46874693526.pdf
- https://cdn.shopify.com/s/files/1/0431/7341/3028/files/2132455715.pdf
- https://cdn.shopify.com/s/files/1/0432/6745/7188/files/rijajoburolawakumuxefi.pdf
- https://cdn.shopify.com/s/files/1/0432/0044/6626/files/ralotebolefuzez.pdf
- https://cdn.shopify.com/s/files/1/0434/1678/0956/files/assam_tribune_calendar_2020.pdf
- https://cdn.shopify.com/s/files/1/0440/1342/0702/files/865148249.pdf
- https://cdn.shopify.com/s/files/1/0431/4752/6305/files/48273745129.pdf
- https://cdn.shopify.com/s/files/1/0432/4645/2899/files/ambiguous_pronoun_reference.pdf
- https://cdn.shopify.com/s/files/1/0433/7795/0870/files/41453772262.pdf
- https://cdn.shopify.com/s/files/1/0439/1701/7243/files/2946266932.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007601.bind6365e1deed2985e0656c122bf943145cc3ab478e5cc6d9c089fe668e71f8952 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7601 | 15604 bytes |
font_01_sfnt_off0000a8c5.binf28fa7aa9bc76d95e714ccc2ffd26fee1c0cb27794e55a863e1151fe4d61594a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA8C5 | 5568 bytes |
font_02_sfnt_off0000bbbb.bin83d921442a7e3399ee9a0e45ed4994ea634200b925299127b386700b7486a5b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBBBB | 9080 bytes |
font_03_sfnt_off0000d559.bin316d5df2767bd84f59af636f2dbca472796f31f9f68af90d2a67578964be06b5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD559 | 11156 bytes |
font_04_sfnt_off0000facc.bin593eefa8d67bf31b52097e47ef494625954e7c8ad78a7feed1851ea6a9045107 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFACC | 19264 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.