MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many of which point to external sites, indicating a link farm or redirector strategy. One critical heuristic firing identified a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=riverdale+pilot+script+pdf'. The document body, though heavily obfuscated, also contains this URL and other Shopify-hosted PDF links. This suggests the primary goal is to redirect users to malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=riverdale+pilot+script+pdf
- http://files.readingthechinadream.com/uploads/1/3/1/0/131069887/kebekod.pdf
- http://files.cassielentz.com/uploads/1/3/2/7/132740435/jekan.pdf
- http://files.rioxpvista.com/uploads/1/3/0/8/130873717/dopenizuvonif_diruzexo.pdf
- http://files.thefullertons.net/uploads/1/3/0/8/130813645/791378.pdf
- http://files.cathyscommuniondresses.com/uploads/1/3/0/8/130814466/6147770.pdf
- https://cdn.shopify.com/s/files/1/0432/0106/9220/files/kinudupawojeli.pdf
- https://cdn.shopify.com/s/files/1/0437/6192/6293/files/74409297163.pdf
- https://cdn.shopify.com/s/files/1/0427/7728/0671/files/28514807950.pdf
- https://cdn.shopify.com/s/files/1/0437/3938/1912/files/xaximinimesuruvanijefudo.pdf
- https://cdn.shopify.com/s/files/1/0432/8167/8494/files/modizenobeligefajibegezeg.pdf
- https://cdn.shopify.com/s/files/1/0432/9101/7374/files/wuwijinonezetifofadadad.pdf
- https://cdn.shopify.com/s/files/1/0433/0799/1208/files/525616255.pdf
- https://cdn.shopify.com/s/files/1/0432/6513/0658/files/gonirinijaro.pdf
- https://cdn.shopify.com/s/files/1/0435/2308/0344/files/d_d_5e_player_s_handbook.pdf
- https://cdn.shopify.com/s/files/1/0428/7227/5103/files/ledotisekukusat.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nejoxalivivurotuzepebibus.pdf
- https://cdn.shopify.com/s/files/1/0431/7410/1160/files/dozumavagibuwedagi.pdf
- https://cdn.shopify.com/s/files/1/0432/3606/5438/files/kitirudiluvixojovo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000823f.bin8c4d557fc96d73a3fe279738180b11cabc7c0790adcc444b36dd279ee02f0767 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x823F | 5216 bytes |
font_01_sfnt_off0000941a.bin35a0cc42e404c3685803d0333db766349bbf4ff0f9f235472006e0ecd19a5037 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x941A | 10472 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.