MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, designed to appear as legitimate content. One critical heuristic indicates a PDF malicious redirector link to 'https://ttraff.me/wix?keyword=superficial+back+line+yoga+poses', suggesting an attempt to direct users to a malicious site. The document body, though heavily obfuscated, contains this URL, reinforcing its role in the attack. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=superficial+back+line+yoga+poses
- https://cdn.shopify.com/s/files/1/0429/8942/0695/files/victorian_government_inclusive_language_guide.pdf
- https://cdn.shopify.com/s/files/1/0465/5126/9526/files/tewujeparipavolutasob.pdf
- https://cdn.shopify.com/s/files/1/0437/9767/6192/files/retrocalcaneal_bursitis_treatment.pdf
- https://cdn.shopify.com/s/files/1/0433/6045/2760/files/91243413804.pdf
- https://cdn.shopify.com/s/files/1/0432/1991/0813/files/47937775978.pdf
- https://cdn.shopify.com/s/files/1/0436/8151/3625/files/zotutodakufewojubon.pdf
- https://cdn.shopify.com/s/files/1/0465/3308/3294/files/5769608065.pdf
- https://cdn.shopify.com/s/files/1/0431/5666/8573/files/59445054753.pdf
- https://e0990a12-4428-4d89-a6bb-16f183ba3417.filesusr.com/ugd/a3b54b_25e4b89057804c25bc4b829d7388d85a.pdf?index=true
- https://3815b6b7-033a-45e9-8b60-d9bc02a75431.filesusr.com/ugd/7be1cd_62d04c9ffa27401a8aec8e4607a8d64a.pdf?index=true
- https://d4b93366-02b7-4cf9-8fa9-8ab332282c74.filesusr.com/ugd/b0cb2d_1762e611b1bd4ee3a0ebbfe9d5bc916e.pdf?index=true
- https://8a80f618-984a-44f7-8ba6-34dfefc04c98.filesusr.com/ugd/76156b_a4a231ccb17f4d0b8ef9eb430f148c96.pdf?index=true
- https://cdn.shopify.com/s/files/1/0437/0304/2216/files/bonanza_episodes_free.pdf
- https://cdn.shopify.com/s/files/1/0431/1479/1069/files/wodexegukovipog.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/95610310087.pdf
- https://cdn.shopify.com/s/files/1/0430/2903/7219/files/mudulewuvakozakaw.pdf
- https://cdn.shopify.com/s/files/1/0434/5040/0920/files/42521428908.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a328.binde658aeb9285742e060e5081223e355fbf6ef7b7576d852a1d9de2d012ab8117 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA328 | 5392 bytes |
font_01_sfnt_off0000b588.bind4c95f4d3eae08ace223d6c646364e7793e067ba7ea15d7549737e8e00ce3ef2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB588 | 10052 bytes |
font_02_sfnt_off0000d7f5.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD7F5 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.