MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=substance+abuse+and+academic+performance+pdf', which is flagged as a malicious redirector. This suggests the document is part of a link farm or SEO poisoning campaign designed to drive traffic to malicious sites.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=substance+abuse+and+academic+performance+pdf
- http://bibibamev.ruthmillerembroidery.com/uploads/1/3/1/3/131383483/7342213.pdf
- http://files.essentialpsychotherapyservices.com/uploads/1/3/1/4/131407877/dujarewige-wanulodev.pdf
- http://nevej.biotechashok.com/uploads/1/3/0/7/130739591/dejonokitux-kidesipujudi.pdf
- http://files.keepingthefaithal.org/uploads/1/3/1/0/131070604/7042212.pdf
- http://files.vedanza.com/uploads/1/3/0/9/130969987/sozobugina-xomefirexosa.pdf
- https://cdn.shopify.com/s/files/1/0431/8360/3876/files/guxalagovezemama.pdf
- https://cdn.shopify.com/s/files/1/0432/7673/0533/files/rinoz.pdf
- https://cdn.shopify.com/s/files/1/0431/2183/6193/files/ancient_china_timeline.pdf
- https://cdn.shopify.com/s/files/1/0433/3741/6869/files/canada_student_visa_form.pdf
- https://cdn.shopify.com/s/files/1/0434/4007/9005/files/57338092971.pdf
- https://cdn.shopify.com/s/files/1/0434/2664/4125/files/29587197651.pdf
- https://cdn.shopify.com/s/files/1/0431/0574/7095/files/mexagizifo.pdf
- https://cdn.shopify.com/s/files/1/0435/2868/3674/files/38280398308.pdf
- https://cdn.shopify.com/s/files/1/0430/3273/9989/files/84865776911.pdf
- https://cdn.shopify.com/s/files/1/0436/6984/8217/files/core_strength_exercises_for_beginners.pdf
- https://cdn.shopify.com/s/files/1/0435/4742/6975/files/begemibugobar.pdf
- https://cdn.shopify.com/s/files/1/0430/7451/9191/files/arcanos_mayores_significado.pdf
- https://cdn.shopify.com/s/files/1/0438/8339/7275/files/52171108749.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009d22.bin2fb2a827fdafa479283055d044786ed0858fa5510272e4d0ac0336271e320cc4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D22 | 5512 bytes |
font_01_sfnt_off0000afb0.bineba5a1522d5c2d6a1f7f1f7db2175c202c97d7786b13892db3e3813f3c958bd6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAFB0 | 10404 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.