MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many of which point to seemingly benign Shopify URLs, but one critical link directs to a known malicious redirector. The document body, though heavily obfuscated, contains the text 'Tap dancing to work' and the malicious URL, suggesting a lure to a malicious site. The presence of numerous links, including the malicious one, indicates a link farm strategy to obscure the final destination and potentially leverage SEO tactics.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=tap+dancing+to+work
- https://cdn.shopify.com/s/files/1/0431/5768/4375/files/regag.pdf
- https://cdn.shopify.com/s/files/1/0432/1030/9787/files/78169824511.pdf
- https://cdn.shopify.com/s/files/1/0432/4553/5400/files/cg_police_constable_question_paper_2020.pdf
- https://cdn.shopify.com/s/files/1/0433/1572/4456/files/accounting_information_system_multiple_choice_questions_and_answers.pdf
- https://cdn.shopify.com/s/files/1/0430/9975/0560/files/64702845319.pdf
- https://cdn.shopify.com/s/files/1/0463/0393/6669/files/63805854624.pdf
- https://cdn.shopify.com/s/files/1/0435/4061/1226/files/bidulikebovuvelukux.pdf
- https://cdn.shopify.com/s/files/1/0433/4125/0714/files/katelyn_tarver_love_me_again.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nulifagavukaxubodipiripu.pdf
- https://static.usrfiles.com/ugd/b8c837_b88d344323bb46cabc741122bd7c87af.pdf
- https://static.usrfiles.com/ugd/0a052f_c1f040ff9a8e4b8f81962184710d4f4c.pdf
- https://static.usrfiles.com/ugd/b8c837_4a4cee9358854ee29a3e77308ee60d54.pdf
- https://static.usrfiles.com/ugd/3fc21f_d7cb9437670f41458f6012f70e9da56b.pdf
- https://static.usrfiles.com/ugd/6116da_8f0f8deb428544229fd7d13422561da6.pdf
- https://static.usrfiles.com/ugd/b8c837_20cd28342c4c4789b321a1bce7b0533a.pdf
- https://static.usrfiles.com/ugd/b8c837_d5525ed7b916441298663e2afd7080dd.pdf
- https://static.usrfiles.com/ugd/40b9e6_d7e69ef150d040819d6f4433402330ce.pdf
- https://static.usrfiles.com/ugd/69695d_f93c3217924b48ea832091f8378334e2.pdf
- https://static.usrfiles.com/ugd/b8c837_d5334062b76041b4906fa610bd60d58a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://static.usrfiles.com/ugd/0a052f_c1f040ff9a8e4b8f81962184710d
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006da0.binfdff58f49cc43041dc00f46d5d6f0997c536650f4e59bd8c994bd338b26feb0e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6DA0 | 5136 bytes |
font_01_sfnt_off00007f3a.bin7f2a658bbfa4182c2819d8246d6e14ed278225046b70a9e25c41f6b091f83933 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F3A | 10736 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.