MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many pointing to Shopify domains, suggesting an attempt at SEO poisoning to drive traffic to malicious sites. The primary malicious URL identified is a redirector, indicating a likely phishing or malware delivery attempt. The document body, though heavily obfuscated, contains keywords related to technical documents and the wkhtmltopdf tool, reinforcing the lure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wb?keyword=theory%20of%20elastic%20stability%20timoshenko%20pdf
- http://files.kspaceonline.com/uploads/1/3/1/3/131380868/b7e90.pdf
- http://files.whatwonderfulwine.com/uploads/1/3/0/7/130740401/5461032.pdf
- http://files.ryankitley.com/uploads/1/3/1/3/131384169/jozud_dozuj.pdf
- http://files.carrigartpresbyterianchurch.com/uploads/1/3/0/7/130775866/75564599544c.pdf
- https://cdn.shopify.com/s/files/1/0431/4837/8274/files/computer_bill_of_sale.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejukimuvili.pdf
- https://cdn.shopify.com/s/files/1/0438/2670/8637/files/axis_and_allies_1940_global_map.pdf
- https://cdn.shopify.com/s/files/1/0429/0697/6422/files/5692043077.pdf
- https://cdn.shopify.com/s/files/1/0430/6717/9165/files/78919075408.pdf
- https://cdn.shopify.com/s/files/1/0433/8227/6257/files/asma_ocupacional.pdf
- https://cdn.shopify.com/s/files/1/0429/7375/7603/files/firewall_security_system.pdf
- https://cdn.shopify.com/s/files/1/0429/7749/3146/files/82405108216.pdf
- https://cdn.shopify.com/s/files/1/0434/2687/3509/files/39036295532.pdf
- https://cdn.shopify.com/s/files/1/0432/7571/4715/files/shoo_fly_don_t_bother_me_song.pdf
- https://cdn.shopify.com/s/files/1/0434/7238/8246/files/25309833122.pdf
- https://cdn.shopify.com/s/files/1/0433/0822/0574/files/zofuwodasujetunav.pdf
- https://cdn.shopify.com/s/files/1/0433/3197/7370/files/pijefulawirigufosusepu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005064.binee95eaa6254eaa8ca0280f2ea5e7ae449021aced5241405b491048b49751cad2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5064 | 5436 bytes |
font_01_sfnt_off000062b4.binedc22a883df7b34a0936fbf9912230aeabdf2c8b970e09b33aec48451d177160 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x62B4 | 11180 bytes |
font_02_sfnt_off0000870d.bince7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x870D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.