MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. The document body, though heavily obfuscated, appears to be related to tax deductions, suggesting a phishing lure. The presence of numerous external PDF links, many hosted on Shopify, indicates a link farm designed to distribute malicious content or improve SEO for malicious sites. The primary IOC is the redirector URL, which is likely used to funnel victims to a secondary malicious payload.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=deductions%20for%20ay%202019-20%20pdf
- http://files.clarediane.com/uploads/1/3/1/8/131858044/pewije.pdf
- http://files.faniehose.com/uploads/1/3/1/4/131407138/fisogebedo-zupefivexexo-fifemevi.pdf
- http://files.cummingchurchofchrist.org/uploads/1/3/2/6/132681464/6ff4e.pdf
- http://files.trilliantrillian.com/uploads/1/3/1/1/131164317/kobejajaxojoxunilito.pdf
- http://files.cummingchurchofchrist.org/upload
- https://cdn.shopify.com/s/files/1/0428/2476/1507/files/46444283806.pdf
- https://cdn.shopify.com/s/files/1/0429/2182/0319/files/35538148559.pdf
- https://cdn.shopify.com/s/files/1/0429/1988/7001/files/dunafogeke.pdf
- https://cdn.shopify.com/s/files/1/0436/1024/3230/files/vafugokaxonefiluropolewos.pdf
- https://vixifujeva.files.wordpress.com/2020/07/bugepidi.pdf
- https://fojosazekew622645149.files.wordpress.com/2020/07/64152578797.pdf
- https://mivoxuvedab.files.wordpress.com/2020/06/bunemawusexizozawe.pdf
- https://filelexasebu.files.wordpress.com/2020/06/24080246111.pdf
- https://lanijisivob.files.wordpress.com/2020/07/joremenexabutefag.pdf
- https://cdn.shopify.com/s/files/1/0429/7624/7967/files/30757069255.pdf
- https://cdn.shopify.com/s/files/1/0430/2385/9873/files/vulopumuwotumubuxosibi.pdf
- https://cdn.shopify.com/s/files/1/0434/1760/0156/files/97324313253.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/22650439267.pdf
- https://cdn.shopify.com/s/files/1/0428/9894/8255/files/kofaj.pdf
- https://cdn.shopify.com/s/files/1/0433/2729/1542/files/kogode.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/meragavafeduxilaxopuxaw.pdf
- https://cdn.shopify.com/s/files/1/0431/7839/3749/files/77850272427.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009694.bincacf9130217cf5d91f98f4e71986f9d639bfe8a1ebf4e6b0307d9e4467b49751 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9694 | 5616 bytes |
font_01_sfnt_off0000a9bf.bindc8797b803adaf2d95cabbeaf3e2a03913c3e3b52fd980d717968de14c10fa22 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA9BF | 10116 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.