MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1059 Command and Scripting Interpreter
The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm for SEO poisoning. Crucially, it also contains a heuristic indicating a 'Clipboard command execution lure', instructing the user to copy and paste content into a shell. This strongly suggests the document's purpose is to trick the user into executing a malicious command, likely to download and run a second-stage payload from the embedded URLs.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=avi+to+mp4+video+converter
- https://static.usrfiles.com/ugd/b8c837_cda37eaa1d2243e7ad204dc883723ec4.pdf
- https://static.usrfiles.com/ugd/590778_0ac7875384d74b2b954bfdc234b0a846.pdf
- https://static.usrfiles.com/ugd/0a052f_234413a4193643dba443270d5c626550.pdf
- https://static.usrfiles.com/ugd/72b0e7_64b7afb3114148f8b655ee229a5f0ebf.pdf
- https://cdn.shopify.com/s/files/1/0437/1460/9305/files/xefari.pdf
- https://static.usrfiles.com/ugd/fedf23_6bf6c5a484244e948f30ed0ba1dcedbc.pdf
- https://static.usrfiles.com/ugd/b8c837_1c01422732884498805870ffeabb6661.pdf
- https://static.usrfiles.com/ugd/451461_69dd957855b44b94a67058cb14dd54a0.pdf
- https://static.usrfiles.com/ugd/b8c837_2c20278505c14891a2e7a81577fb5f91.pdf
- https://static.usrfiles.com/ugd/3aee12_988401c97f854e648be18aaf4c65838d.pdf
- https://static.usrfiles.com/ugd/ab0441_808ed17c4b3a420cbfec4a213a9a82ea.pdf
- https://static.usrfiles.com/ugd/b8c837_c8114a186a0f467eb8acf6104cdf8c58.pdf
- https://static.usrfiles.com/ugd/5be868_7ed485bbb3e94b28a25f30bcd9dd48ec.pdf
- https://static.usrfiles.com/ugd/b11f6d_c725f80469da404b93ce13ecead31b40.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006424.bin208cdd78f55fc12a5b9b5e7b433bfc3cc01449eecce1e840e14e851857618a2c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6424 | 4936 bytes |
font_01_sfnt_off000074e9.bin92b84243eea1e801dc364ab3ea6c3a7170d908318dfff4b0caed00246d299ed0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74E9 | 10504 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.