MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector link to 'https://ttraff.ru/pify?keyword=sawaia+as+artimanhas+da+exclus%25C3%25A3o+pdf'. Another critical heuristic identified a PDF link farm, suggesting a spamming or SEO abuse tactic. The document body, though heavily obfuscated, contains references to the malicious URL and a benign-looking PDF URL, likely intended to mask the malicious intent. No scripts were extracted, but the presence of malicious redirector links strongly suggests a phishing or malware delivery attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=sawaia+as+artimanhas+da+exclus%25C3%25A3o+pdf
- https://static.usrfiles.com/ugd/3794ad_b4a64e3c2ef04977b150dc1cb4a9cb6e.pdf
- https://static.usrfiles.com/ugd/fbcb80_ee3a1f5b73ac42c89a7dafcdb0bd1433.pdf
- https://static.usrfiles.com/ugd/a4e402_8457f6e131984244abd7979607ddd848.pdf
- https://static.usrfiles.com/ugd/912de2_f73c24508b3e4fd9a52d03b2eea0a6af.pdf
- https://static.usrfiles.com/ugd/ab059d_3b0ebe78984b4670baf73ef63fa94ed6.pdf
- https://cdn.shopify.com/s/files/1/0431/3264/9636/files/modafite.pdf
- https://cdn.shopify.com/s/files/1/0434/0721/2694/files/wudesibude.pdf
- https://cdn.shopify.com/s/files/1/0436/4759/8742/files/44530322510.pdf
- https://cdn.shopify.com/s/files/1/0427/7764/1116/files/89410600779.pdf
- https://cdn.shopify.com/s/files/1/0435/2730/7416/files/37186840485.pdf
- https://cdn.shopify.com/s/files/1/0438/8611/7019/files/database_systems_coronel.pdf
- https://cdn.shopify.com/s/files/1/0437/9531/6896/files/xubutaxolawidenovowekax.pdf
- https://cdn.shopify.com/s/files/1/0433/9000/9502/files/southern_blotting_applications.pdf
- https://cdn.shopify.com/s/files/1/0434/7422/3269/files/xilutodumevikewagezep.pdf
- https://static.usrfiles.com/ugd/0049ca_c0234c38f285490ead824d7627ce3256.pdf
- https://static.usrfiles.com/ugd/8b97dd_9aa0f8e9ca8d4cf8b4f8b4494d537927.pdf
- https://static.usrfiles.com/ugd/bfbc46_e46d94bec6b446a683c090385ed2cdf8.pdf
- https://static.usrfiles.com/ugd/b8c837_d7202ca3fb5d4b8d985085529222a7bb.pdf
- https://static.usrfiles.com/ugd/3b7182_488f5af0c6444d0e8608390325f1082f.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c159.binc2c47d666377896bc64c751ab93036c10a9ed5e009e5792316f9fd68328a911f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC159 | 5976 bytes |
font_01_sfnt_off0000d50b.bin618d4a6dc8fcde918bb7ef71416d2cb316b3ba6a354dfdc37bbad6e728041704 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD50B | 10376 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.