MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL `https://ttraff.ru/pify?keyword=font+awesome+version+4.+7+cheatsheet` is identified as a known malicious redirector. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, suggesting it was generated programmatically. No scripts were extracted from this sample.
Heuristics 2
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=font+awesome+version+4.+7+cheatsheet
- http://files.findingbea.com/uploads/1/3/0/7/130740213/xobiwerafama-texegofamex-xuzuje-zesajiforupo.pdf
- http://files.kuthulellc.com/uploads/1/3/1/4/131455722/5098269.pdf
- http://files.kulitjerukbali.net/uploads/1/3/0/7/130738955/1448541.pdf
- http://files.rikrecruitment.com/uploads/1/3/0/9/130969218/vanodubegetajal.pdf
- http://files.ebrahimi-ali.com/uploads/1/3/1/4/131437699/tavibotawuzusu.pdf
- https://cdn.shopify.com/s/files/1/0428/4681/4374/files/bilinafibidolunebuselu.pdf
- https://cdn.shopify.com/s/files/1/0427/9002/7430/files/vawudofuratabigivimax.pdf
- https://cdn.shopify.com/s/files/1/0429/0933/5715/files/dumimaxoxofol.pdf
- https://cdn.shopify.com/s/files/1/0433/6818/6015/files/rinufim.pdf
- https://cdn.shopify.com/s/files/1/0429/9964/4314/files/58861138830.pdf
- https://cdn.shopify.com/s/files/1/0429/4469/2383/files/83204677847.pdf
- https://cdn.shopify.com/s/files/1/0437/0428/7383/files/pobinijevin.pdf
- https://cdn.shopify.com/s/files/1/0431/3550/0439/files/nuxuw.pdf
- https://cdn.shopify.com/s/files/1/0431/6590/9160/files/melepoxadajur.pdf
- https://cdn.shopify.com/s/files/1/0440/3917/6342/files/fojebatilabuj.pdf
- https://cdn.shopify.com/s/files/1/0428/6559/0438/files/netozidisegenanima.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/fil
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00009f8c.bin3f7a0e4c18621921314959d246e4c35eedc5895b277f26fa0f43e52f43b3c92d |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x9F8C | 193584 bytes |
font_01_sfnt_off00026b6e.binb02a19c856080ae3c28cbd1bf181f0dac7015e5bfa9a17e2948af82f230d8eab |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x26B6E | 5100 bytes |
font_02_sfnt_off00027cb9.bin95dd406d8bb45c6d609a923ef0e3568931b5ca5b50a99e2bf4299486d5ee11c4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27CB9 | 5008 bytes |
font_03_sfnt_off00028a86.bin7fdb0aa27b05d584254f80a6d3cc3e7900d84707c1fc8d94469324207b381210 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x28A86 | 4600 bytes |
font_04_sfnt_off00029897.binbd566e8ae7dff199139b7ed097bdb276485154b23f69c48d16ec56dc7fe502f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x29897 | 11192 bytes |
font_05_sfnt_off0002bb9f.bin39ec73b8b1c2a551c4c01b2c98cebce20a95640f34aaba2e21f9055caa34898d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BB9F | 16980 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.