MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a heuristic firing for a malicious redirector link, which points to 'ttraff.ru'. This URL is presented to the user as a tutorial PDF, indicating a social engineering lure. The document also contains a large number of embedded links, many of which point to Shopify domains, suggesting a link farm or SEO manipulation tactic to distribute malicious content. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=python%20tkinter%20complete%20tutorial%20pdf
- http://files.1percentgallery.com/uploads/1/3/0/7/130774990/kekoruwo_ditafededudeki_pazulurezupesa.pdf
- http://files.eastlakecongregational.org/uploads/1/3/2/6/132695347/7e89d.pdf
- http://files.cprsd2.com/uploads/1/3/1/6/131607269/malamusofako_memavaxasasipeb_xaxojikilaloxo_bebugigod.pdf
- http://files.mimiarnstein.com/uploads/1/3/1/0/131070576/xokilexiwemes_doselewelu_sibupile_limuvori.pdf
- http://files.mimiarnstein.com/uploads/1/3/1/0/131070576/xokilexiwem
- https://cdn.shopify.com/s/files/1/0432/0106/9220/files/zifiperelef.pdf
- https://cdn.shopify.com/s/files/1/0429/6340/2905/files/pojazarudolexawewudaza.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/63545483179.pdf
- https://wanamudiz.files.wordpress.com/2020/07/weluvesi.pdf
- https://warezofokel.files.wordpress.com/2020/06/82609683388.pdf
- https://wisiseju.files.wordpress.com/2020/07/zobigaxigit.pdf
- https://lugopago.files.wordpress.com/2020/06/64279609463.pdf
- https://kudikinojov.files.wordpress.com/2020/07/jozejevarirugogofupud.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dobemajafapurotexujebo.pdf
- https://cdn.shopify.com/s/files/1/0433/4315/1272/files/xewexugufuzemorawotudapaw.pdf
- https://cdn.shopify.com/s/files/1/0431/1570/8580/files/78870892937.pdf
- https://cdn.shopify.com/s/files/1/0429/6772/8279/files/nexijinozotebazu.pdf
- https://cdn.shopify.com/s/files/1/0428/1915/8183/files/daxaliz.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/fixasitisajixumazurezeve.pdf
- https://cdn.shopify.com/s/files/1/0429/1792/0934/files/ripax.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9142282406.pdf
- https://cdn.shopify.com/s/files/1/0433/0127/3750/files/dijunom.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008ae9.binb6d1161198a8aad48b115ec7723d11b5dced81517a27ad941b400dd1ebb5235a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8AE9 | 5268 bytes |
font_01_sfnt_off00009ca1.bin057824ff035b1ca3cf5554d05a9b0304c16f653765cb544ebf84227e6d33d5e5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9CA1 | 10536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.