MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. One of the primary links points to 'ttraff.ru', which is flagged as a malicious redirector. The document also contains a visual download button lure, suggesting a social engineering tactic to encourage clicks. The presence of a large number of links, many hosted on Shopify, indicates a link farm designed to obscure the ultimate destination.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=python+curses+examples
- http://files.annebronsveld.com/uploads/1/3/1/4/131453256/7411796.pdf
- http://files.practicalisoltd.co.uk/uploads/1/3/2/7/132712222/3360696.pdf
- http://files.lindabierymusic.com/uploads/1/3/2/7/132710575/pifevadonuzi-wabonevawag-bokek-watetigale.pdf
- http://files.harleyrosefloral.com/uploads/1/3/2/3/132302780/3482446.pdf
- https://cdn.shopify.com/s/files/1/0428/1348/9318/files/zusezutigilix.pdf
- https://cdn.shopify.com/s/files/1/0436/8993/5003/files/bisoxozefiwozipajejadar.pdf
- https://cdn.shopify.com/s/files/1/0439/2737/1931/files/sixolizewufukenelobomunuw.pdf
- https://cdn.shopify.com/s/files/1/0434/8503/6706/files/vejujafebelij.pdf
- https://cdn.shopify.com/s/files/1/0433/3161/6923/files/kalol.pdf
- https://cdn.shopify.com/s/files/1/0432/7263/4533/files/vofetoxumi.pdf
- https://cdn.shopify.com/s/files/1/0431/4995/1138/files/59213656430.pdf
- https://cdn.shopify.com/s/files/1/0437/6100/8791/files/10036732127.pdf
- https://cdn.shopify.com/s/files/1/0435/5430/8257/files/90958842763.pdf
- https://cdn.shopify.com/s/files/1/0431/4038/2882/files/60060518950.pdf
- https://cdn.shopify.com/s/files/1/0433/2837/2886/files/journey_to_the_west_1996.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007192.bin55e4e21daff2d78545bd789d874c548d5a2eb0fa87dca5e780a5ec78ec69fe04 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7192 | 5344 bytes |
font_01_sfnt_off000083a1.bind323e436af2bff83f02a77cb048850cdb470e05f82754cea900ef2795bd779d3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x83A1 | 9920 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.