MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the string 'Happn app premium apk' and the malicious URL, suggesting a lure for a fake application download. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the presence of a link to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=happn+app+premium+apk
- http://files.newenergyera.org/uploads/1/3/0/8/130874612/1019597.pdf
- http://files.varanasiastro.com/uploads/1/3/2/6/132696117/titozamozid.pdf
- http://files.oldpostfarm.com/uploads/1/3/1/3/131378921/wokixopisoxufu_vexadev_soresek.pdf
- http://files.chicosierra.com/uploads/1/3/0/7/130775192/9881432.pdf
- https://cdn.shopify.com/s/files/1/0437/1965/5579/files/zulegi.pdf
- https://cdn.shopify.com/s/files/1/0432/7941/7504/files/organizational_chart_template_free_editable.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/76410179135.pdf
- https://cdn.shopify.com/s/files/1/0427/6980/9575/files/busijoxofumovakaxemam.pdf
- https://cdn.shopify.com/s/files/1/0431/6843/2288/files/64136015279.pdf
- https://cdn.shopify.com/s/files/1/0432/3488/5796/files/50301553109.pdf
- https://cdn.shopify.com/s/files/1/0430/4545/3985/files/dewiruxadifodikamuso.pdf
- https://cdn.shopify.com/s/files/1/0435/1338/1028/files/53761398459.pdf
- https://cdn.shopify.com/s/files/1/0431/6931/7020/files/57486344913.pdf
- https://cdn.shopify.com/s/files/1/0436/5081/0014/files/kezeta.pdf
- https://cdn.shopify.com/s/files/1/0433/1631/4277/files/64740111836.pdf
- https://cdn.shopify.com/s/files/1/0432/2829/9428/files/48531661560.pdf
- https://cdn.shopify.com/s/files/1/0433/2666/8952/files/resupapisekijuduj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006f00.bindbc3ad707fd0c39a46d4f2ad3970a9ab97da86c00808b88e6be783cb5780f0a0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F00 | 4780 bytes |
font_01_sfnt_off00007f1c.binff9e0d8c346e8e1a789f460ba9625fd915602772792e6567a21dc7a4e95d7359 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F1C | 3520 bytes |
font_02_sfnt_off00008d46.binabb6fcd93f85c233d25b0154b2afe4bdc6d5f3fd62954e7f590d33a243e9416a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D46 | 10816 bytes |
font_03_sfnt_off0000b27f.bined2263b5b1b87d26feaf6dd51e52c1edfdc2b91619b86c665742d6f4c666f530 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB27F | 16404 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.