MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a significant number of embedded URLs, with a heuristic firing indicating a 'PDF SEO LINK FARM'. One of these URLs, 'https://ttraff.ru/wix?keyword=pyongyang+a+journey+in+north+korea', is flagged as a malicious redirector. The document body itself is heavily obfuscated but contains references to this malicious URL and other benign-looking Shopify links, suggesting a lure to a malicious site or a large-scale SEO poisoning attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=pyongyang+a+journey+in+north+korea
- https://cdn.shopify.com/s/files/1/0432/4291/3955/files/employment_agreement_form_doc.pdf
- https://cdn.shopify.com/s/files/1/0431/1633/1172/files/cours_informatique_excel_2020.pdf
- https://cdn.shopify.com/s/files/1/0433/7382/2115/files/77376371494.pdf
- https://cdn.shopify.com/s/files/1/0438/0239/4786/files/converting_inches_to_feet_worksheet.pdf
- https://static.usrfiles.com/ugd/5ecadc_6bf23d918e0b497c88f9cc0557d58aaa.pdf
- https://static.usrfiles.com/ugd/590778_4a1d2ac65c1240dc8438b37b0fdefc90.pdf
- https://static.usrfiles.com/ugd/8acad3_37ef71e1a7e34d2eb77270952d8679ad.pdf
- https://static.usrfiles.com/ugd/6cfc61_5e439ceb680b4e59a4a24da626238ef0.pdf
- https://static.usrfiles.com/ugd/a382ee_ab22d13906404b76b973ed9d5d148bc2.pdf
- https://cdn.shopify.com/s/files/1/0432/0532/9064/files/gepenoke.pdf
- https://cdn.shopify.com/s/files/1/0430/4342/2359/files/vunazisirutugeduzulo.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tozonolemudafolafoxi.pdf
- https://cdn.shopify.com/s/files/1/0430/1773/2249/files/oxford_synonyms_and_antonyms_book.pdf
- https://static.usrfiles.com/ugd/6c98bc_0e4e3e4825b0450a85cafd6228f52a16.pdf
- https://static.usrfiles.com/ugd/7a11b0_b030ba3b11074893b2ab0be873aa7b5c.pdf
- https://static.usrfiles.com/ugd/1decf9_220e4707264146f2a8edcc88d433de34.pdf
- https://static.usrfiles.com/ugd/0a51c1_518830c1ef004876ae43bd020f2f9bda.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007348.bin949e116a63a637504bd9e1169712eccf5627a55811b6aae8ac1d92cfe4c599be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7348 | 4980 bytes |
font_01_sfnt_off00008442.bine13376057aa3769d5f43d93afdc2b66ec282114b6c6f7a00c712270d11b13aaa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8442 | 10408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.