MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to a URL designed to look like an application form for a Canadian visa. This URL is likely used to redirect the user to a malicious site. The file also contains a PDF link farm heuristic, indicating a large number of outbound links, many of which are hosted on Shopify. The primary malicious URL is ttraff.cc, which is known for redirecting to malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=application+form+for+canadian+visa+from+ukraine
- http://files.flowphoto-tahoe.com/uploads/1/3/1/4/131453904/gexujifix_zolokelotaden_tewudubepawisi_jifuvinazonu.pdf
- http://files.cvyouthleadershipsummit.com/uploads/1/3/2/6/132695347/ruregoxopek_xukid_sixizixoteduf.pdf
- http://files.thegleasoncenter.com/uploads/1/3/0/7/130775049/xibapivev.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gamawogedeveredu.pdf
- https://cdn.shopify.com/s/files/1/0430/8343/2096/files/mijupejidiseno.pdf
- https://cdn.shopify.com/s/files/1/0431/8219/4852/files/sagosedomug.pdf
- https://cdn.shopify.com/s/files/1/0429/9299/2410/files/9582908457.pdf
- https://cdn.shopify.com/s/files/1/0437/6104/1569/files/sasajolawivusulazi.pdf
- https://cdn.shopify.com/s/files/1/0431/0358/4409/files/46918240716.pdf
- https://cdn.shopify.com/s/files/1/0428/8125/3535/files/56565111685.pdf
- https://cdn.shopify.com/s/files/1/0433/2145/8853/files/95915496815.pdf
- https://cdn.shopify.com/s/files/1/0431/7128/3098/files/xefipotozenejexi.pdf
- https://cdn.shopify.com/s/files/1/0432/8128/5286/files/7153701948.pdf
- https://cdn.shopify.com/s/files/1/0434/7173/2889/files/vawakulejipowesagojope.pdf
- https://cdn.shopify.com/s/files/1/0433/3735/1323/files/vitupowabaw.pdf
- https://cdn.shopify.com/s/files/1/0429/4819/8556/files/83942534145.pdf
- https://cdn.shopify.com/s/files/1/0429/1297/2963/files/titipazenarupeboxef.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0429/9299/2410/files/9582908
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007238.bin75d8de4d3193e307387ebb83da99425defb8ca905eb55d7585a81570ee183732 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7238 | 5296 bytes |
font_01_sfnt_off0000841f.bin66c874de4b10d7d3c6eac9b34928ead60f3ac9342cca9eab89db185b009d4a93 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x841F | 10888 bytes |
font_02_sfnt_off0000a979.binc988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA979 | 16204 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.