MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a mass of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the string 'appshare apk pure' and a URL that appears to be part of a link farm designed to lure users. The presence of a callback lure heuristic further suggests a phishing or scam attempt. The primary malicious URL identified is https://ttraff.com/pify?keyword=appshare+apk+pure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=appshare+apk+pure
- http://gededif.majorguideservice.com/uploads/1/3/1/3/131384281/zubexap.pdf
- http://files.stmarks-benson.com/uploads/1/3/1/6/131636866/7e15335.pdf
- https://cdn.shopify.com/s/files/1/0438/3725/9938/files/lilesavojatetogepibiw.pdf
- https://cdn.shopify.com/s/files/1/0440/4504/1814/files/63316869229.pdf
- https://cdn.shopify.com/s/files/1/0429/7926/2623/files/58109124671.pdf
- https://cdn.shopify.com/s/files/1/0431/7518/2485/files/simile_metaphor_and_hyperbole_worksheets.pdf
- https://cdn.shopify.com/s/files/1/0430/1671/6437/files/90317283252.pdf
- https://cdn.shopify.com/s/files/1/0429/1801/9235/files/bajuwutefipijijenekulule.pdf
- https://cdn.shopify.com/s/files/1/0440/2751/0934/files/44319285687.pdf
- https://cdn.shopify.com/s/files/1/0429/9295/9642/files/romopo.pdf
- https://cdn.shopify.com/s/files/1/0430/9303/3111/files/lofegu.pdf
- https://cdn.shopify.com/s/files/1/0430/0944/1953/files/sugajep.pdf
- https://cdn.shopify.com/s/files/1/0428/5654/6467/files/6477166024.pdf
- https://cdn.shopify.com/s/files/1/0429/6183/0037/files/38999268926.pdf
- https://cdn.shopify.com/s/files/1/0434/5298/9605/files/simasofufanativifa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006113.bin1bd8fbfabbee8301393f49761188b0f4cd44009cfb3d3e3fc681c453d339fb31 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6113 | 4464 bytes |
font_01_sfnt_off0000703a.bin3e0505798237d9e040d1847fb3bdc4244473d873cf3d724a8b54247b671ae9d6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x703A | 10088 bytes |
font_02_sfnt_off000092a7.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x92A7 | 4324 bytes |
font_03_sfnt_off0000a0a8.bin05afd4c70e353830cf57f97c102a5782206dc50531dc3c733705d58cb296d3db |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA0A8 | 3340 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.