MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document was identified as malicious due to a critical heuristic firing for a redirector link pointing to ttraff.cc. Additionally, it contains a large number of embedded links, many hosted on cdn.shopify.com, suggesting a link farm or SEO poisoning tactic. The primary malicious URL is https://ttraff.cc/pify?keyword=file+pdf+kh%25C3%25B4ng+%25C4%2591%25E1%25BB%258Dc+%25C4%2591%25C6%25B0%25E1%25BB%25A3c, which likely serves as a gateway to further malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=file+pdf+kh%25C3%25B4ng+%25C4%2591%25E1%25BB%258Dc+%25C4%2591%25C6%25B0%25E1%25BB%25A3c
- http://boses.justintymeboots.com/uploads/1/3/0/8/130813528/joxabel.pdf
- http://files.christiananker.com/uploads/1/3/1/3/131382141/c3637.pdf
- http://files.clydeaspevig.com/uploads/1/3/1/1/131163738/simejawovorizov.pdf
- http://xegon.worldclasslanguagesolutions.com/uploads/1/3/2/6/132696111/3618061.pdf
- http://madop.3mbluemerlecorgis.com/uploads/1/3/2/3/132303189/busovurugen_sopebijo_kotafovovobi_zejux.pdf
- https://cdn.shopify.com/s/files/1/0432/6254/1982/files/7719380705.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ralaguguzovepusumizus.pdf
- https://cdn.shopify.com/s/files/1/0436/1977/8723/files/15177230659.pdf
- https://cdn.shopify.com/s/files/1/0430/7514/1794/files/pelogejelijosijeloto.pdf
- https://cdn.shopify.com/s/files/1/0433/9430/2117/files/fukikosigewu.pdf
- https://cdn.shopify.com/s/files/1/0430/9378/6791/files/11067323752.pdf
- https://cdn.shopify.com/s/files/1/0431/9870/9918/files/gukikuvanosutane.pdf
- https://cdn.shopify.com/s/files/1/0428/1715/9335/files/bomemiritixevuvuwuxido.pdf
- https://cdn.shopify.com/s/files/1/0432/7813/9556/files/95993052084.pdf
- https://cdn.shopify.com/s/files/1/0431/6784/2459/files/94429398833.pdf
- https://cdn.shopify.com/s/files/1/0441/2270/1976/files/kesekub.pdf
- https://cdn.shopify.com/s/files/1/0431/5414/5444/files/8900370d8a754ae8c0a4a56c43f29c5a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c8a.bin51fa16e26addc79b2ff0530a7028e755df8704324046894ad2d8cbbf5add29f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C8A | 5264 bytes |
font_01_sfnt_off00006df7.bin8b2817a846d60f1e46424332f6b62567519dd224f810b95a2b53732efbc877be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6DF7 | 22116 bytes |
font_02_sfnt_off00009d52.binf267a97a42ed964490c0c36cf8d24d30f5cfc386ee24850e75bb3a4991f11828 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D52 | 16376 bytes |
font_03_sfnt_off0000b2fa.bina542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB2FA | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.