MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
This PDF file contains a large number of embedded links, many of which point to potentially malicious redirectors or link farms. The heuristic firings indicate that the document instructs the user to disable security software, a common tactic to bypass defenses. The primary malicious URL identified is https://ttraff.cc/pify?keyword=cabal++full+client, which is likely used to redirect the user to further malicious content. No scripts were extracted, limiting the analysis of direct execution capabilities.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Security software disable instruction high SE_SECURITY_BYPASSDocument instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=cabal++full+client
- http://files.pjneallaw.com/uploads/1/3/1/4/131483128/xegif.pdf
- http://files.winninggodsway.com/uploads/1/3/0/7/130775180/karuragotobagesu.pdf
- http://diguda.mysteryshoppingonlinejob.com/uploads/1/3/1/4/131453598/rawufi.pdf
- http://files.nundahpetsitter.com/uploads/1/3/0/8/130814187/f311684790c5ce1.pdf
- http://dedilejo.stpaullevittown.org/uploads/1/3/2/3/132303354/juxekajebase_xejek_fimogijezum.pdf
- https://cdn.shopify.com/s/files/1/0447/9172/6240/files/hourly_schedule_template.pdf
- https://cdn.shopify.com/s/files/1/0433/5150/7094/files/31303613571.pdf
- https://cdn.shopify.com/s/files/1/0429/4659/2924/files/61736232161.pdf
- https://cdn.shopify.com/s/files/1/0438/9008/1960/files/endometriosis_puerperal.pdf
- https://cdn.shopify.com/s/files/1/0432/0201/9487/files/mesumarinokibufadam.pdf
- https://cdn.shopify.com/s/files/1/0438/5452/8677/files/46313666937.pdf
- https://cdn.shopify.com/s/files/1/0431/3566/4284/files/inequality_worksheet_7th_grade.pdf
- https://cdn.shopify.com/s/files/1/0440/1987/5998/files/15115887104.pdf
- https://cdn.shopify.com/s/files/1/0432/0657/4240/files/91649850870.pdf
- https://cdn.shopify.com/s/files/1/0429/6415/6575/files/zogizir.pdf
- https://cdn.shopify.com/s/files/1/0427/5788/2022/files/lisaxujudozigolamesefib.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004e14.bin2f20d4728013d8fb969bd1703cdb2ef04a88520d6b18073e1de51a53086bd6b1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4E14 | 4648 bytes |
font_01_sfnt_off00005dfb.bin8e8070a5f07387a318feb55cd885d74f1a5aa4a9ef91a1e295b4fa2527c17598 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5DFB | 9968 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.