MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation or traffic redirection. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the final destination. The document body, though heavily obfuscated, contains the same malicious URL and appears to be a lure for free IELTS vocabulary PDFs. The presence of a visual download button further supports a deceptive workflow.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=vocabulary+for+ielts+pdf+free
- http://files.canyoncreeknaturals.com/uploads/1/3/2/3/132303314/6f9e72d1c5e4716.pdf
- http://files.newtowneplayers.org/uploads/1/3/1/4/131453255/3434eb86f4f59.pdf
- http://files.taleinferno.com/uploads/1/3/1/8/131871597/sivawesuvoj.pdf
- https://cdn.shopify.com/s/files/1/0436/5749/4693/files/13151215455.pdf
- https://cdn.shopify.com/s/files/1/0431/2052/5476/files/95634857399.pdf
- https://cdn.shopify.com/s/files/1/0440/7944/8216/files/ladudof.pdf
- https://cdn.shopify.com/s/files/1/0432/1814/1347/files/gusanujov.pdf
- https://cdn.shopify.com/s/files/1/0433/8860/0478/files/gibenebazir.pdf
- https://cdn.shopify.com/s/files/1/0429/8434/1657/files/zojud.pdf
- https://cdn.shopify.com/s/files/1/0430/6819/4965/files/fenoda.pdf
- https://cdn.shopify.com/s/files/1/0431/1721/5905/files/tuwagudadowibukujazesimus.pdf
- https://cdn.shopify.com/s/files/1/0438/8985/2568/files/85818844977.pdf
- https://cdn.shopify.com/s/files/1/0435/8687/9651/files/20601567883.pdf
- https://cdn.shopify.com/s/files/1/0431/8606/1463/files/andragogy_books.pdf
- https://cdn.shopify.com/s/files/1/0427/4615/1078/files/xulikotom.pdf
- https://cdn.shopify.com/s/files/1/0431/6777/6919/files/34305544248.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c39.bin2d65cdbcfc56b98842f67ff893ea0559042bc7c68d5ea4c581a61282a6cf1cb4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C39 | 5356 bytes |
font_01_sfnt_off00006e80.binb67f9888fc955e912132eee052e48abaeebc94cf3be26f63799add8219b73b12 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E80 | 9752 bytes |
font_02_sfnt_off00008ff8.binfd638df73e0fecd31db11525a24bc7f1451215c4081a6f55993372f5ee688496 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FF8 | 16100 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.