Malware Insights
The PDF file contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, which is indicative of a link farm for SEO manipulation or to obscure malicious redirects. One critical heuristic identified a direct link to a known malicious redirector at 'https://ttraff.com/pify?keyword=fluoroscopic+guided+lumbar+puncture'. Additionally, a heuristic flagged a 'Clipboard command execution lure', suggesting the document instructs the user to copy and paste commands into a shell, likely to download and execute further payloads. The presence of these elements strongly suggests a malicious intent to redirect users to harmful sites or trick them into executing commands.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=fluoroscopic+guided+lumbar+puncture
- http://files.lockmangenetics.com/uploads/1/3/0/7/130775383/nizejab.pdf
- http://files.highclasswhoopass.com/uploads/1/3/0/7/130740551/xofadefobeb_kolas_jegesurejag_denanunakuperav.pdf
- http://gebivamev.elizabethheppenheimer.com/uploads/1/3/0/7/130740440/c0a9e1c8a66a06.pdf
- http://pevus.hipnotions.com/uploads/1/3/0/8/130873782/8138310.pdf
- https://cdn.shopify.com/s/files/1/0441/3207/3624/files/sri_devi_bhagavatam_in_telugu_free_download.pdf
- https://cdn.shopify.com/s/files/1/0427/9861/2636/files/kibubuxokufi.pdf
- https://cdn.shopify.com/s/files/1/0428/0107/0247/files/86204462475.pdf
- https://cdn.shopify.com/s/files/1/0431/4713/3088/files/kekifimaxurutuz.pdf
- https://cdn.shopify.com/s/files/1/0431/8530/7808/files/56951627856.pdf
- https://cdn.shopify.com/s/files/1/0433/4164/3928/files/76175611811.pdf
- https://cdn.shopify.com/s/files/1/0434/6891/4838/files/68482178528.pdf
- https://cdn.shopify.com/s/files/1/0434/6707/9830/files/mixed_in_key_torrent.pdf
- https://cdn.shopify.com/s/files/1/0448/3593/0273/files/bourton_on_the_water_map.pdf
- https://cdn.shopify.com/s/files/1/0437/9344/9122/files/55683499068.pdf
- https://cdn.shopify.com/s/files/1/0431/1996/8417/files/notirob.pdf
- https://cdn.shopify.com/s/files/1/0439/1455/9656/files/33236385839.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007581.binbe85b8ff0a16371f821f9fb5596f0909748cccd6c790c345032e165edddb0b53 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7581 | 5368 bytes |
font_01_sfnt_off0000879f.binf6d91fa02911f89412b1e86fa1895dca0a05b4cfcb1a38a27cd16e973e1daee9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x879F | 10160 bytes |
font_02_sfnt_off0000aa50.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAA50 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.