MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=cat+5e+wiring+diagram+pdf'. This URL is designed to lure users into clicking on it by disguising itself as a search result for a wiring diagram. The document body, though heavily obfuscated, also contains this URL, reinforcing the malicious intent. The file also exhibits characteristics of a link farm, with numerous external PDF links, suggesting a broader campaign to distribute malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=cat+5e+wiring+diagram+pdf
- http://files.kbkornhole.com/uploads/1/3/1/4/131438891/zawavapavukeped.pdf
- http://vozudepe.thebottomdrawerantiques.com/uploads/1/3/2/6/132681556/4459570.pdf
- http://files.roustabout-theater.org/uploads/1/3/2/8/132814048/xuwugeredofaj.pdf
- http://zogado.navarrepenthouse.com/uploads/1/3/0/7/130738714/pepovigekonivof.pdf
- http://files.catherinereilly.com/uploads/1/3/1/4/131483138/3803139.pdf
- https://cdn.shopify.com/s/files/1/0436/1384/7710/files/56560230339.pdf
- https://cdn.shopify.com/s/files/1/0431/4392/1820/files/posapuraledimazixowapam.pdf
- https://cdn.shopify.com/s/files/1/0432/6971/8182/files/43647749936.pdf
- https://cdn.shopify.com/s/files/1/0430/0144/6551/files/minecraft_forge_1._13_release_date.pdf
- https://cdn.shopify.com/s/files/1/0429/5055/7855/files/82557666419.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5137558887.pdf
- https://cdn.shopify.com/s/files/1/0428/8672/5795/files/jusajawezadutebejamas.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sejil.pdf
- https://cdn.shopify.com/s/files/1/0432/7240/5157/files/62618053852.pdf
- https://cdn.shopify.com/s/files/1/0434/9041/0658/files/60700934820.pdf
- https://cdn.shopify.com/s/files/1/0430/9912/7957/files/88817279788.pdf
- https://cdn.shopify.com/s/files/1/0438/4748/3552/files/bolly_songs_2016.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008323.binf77b5c383cbd2c495d523c313e0e14d7b7f0fc1a0c581f32bfffad0c4d572a1c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8323 | 5068 bytes |
font_01_sfnt_off0000945e.binf88ea552fa4873368c467e801a4c7532abf748726f38d81eca6e00355e89ef59 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x945E | 10368 bytes |
font_02_sfnt_off0000b785.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB785 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.