MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains, including a known malicious redirector at 'ttraff.ru'. This suggests a link farm or redirection tactic to obscure the final malicious destination. The document body itself contains garbled text but also includes the malicious URL and several benign-looking Shopify URLs, indicating a potential lure or spam campaign. No scripts were extracted, but the heuristic firings strongly indicate a malicious redirection attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=banaras+wala+remix
- http://fidonegan.segolilyschool.org/uploads/1/3/2/6/132683188/gazojoxej-veluginika-nixomude.pdf
- http://xonaterod.trendsterrabella.com/uploads/1/3/1/6/131637814/tulakawet.pdf
- http://fiwufegi.amishpoly.com/uploads/1/3/1/0/131070331/muvajugowiz_nizim_gaxuteg.pdf
- http://jimimupup.bh365project.com/uploads/1/3/1/6/131606346/9294074.pdf
- https://cdn.shopify.com/s/files/1/0432/6758/8252/files/zezaleparasotuto.pdf
- https://cdn.shopify.com/s/files/1/0431/9353/2573/files/example_of_formal_and_informal_letter_pdf.pdf
- https://cdn.shopify.com/s/files/1/0440/2964/0854/files/pretty_ricky_bluestars_album.pdf
- https://cdn.shopify.com/s/files/1/0435/6934/8763/files/princeton_review_mcat_physics.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xigorekotat.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64630415929.pdf
- https://cdn.shopify.com/s/files/1/0432/8954/2809/files/nunafavewazelaresewax.pdf
- https://cdn.shopify.com/s/files/1/0430/7956/5465/files/simple_english_short_story.pdf
- https://cdn.shopify.com/s/files/1/0431/4116/9303/files/72709543779.pdf
- https://cdn.shopify.com/s/files/1/0438/0858/7933/files/zirurujokejedojizarunuf.pdf
- https://cdn.shopify.com/s/files/1/0433/7103/6823/files/pipew.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005bab.binbfc4410fbccf71534da10c78dd82c1fa50e0518cd9868c914c8491fa1d1844ee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BAB | 5040 bytes |
font_01_sfnt_off00006cc3.bin3f0828ce8539d6704c3c5c487418eae6389b94b93c39031e834bee5c0f95218b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CC3 | 1712 bytes |
font_02_sfnt_off00007547.bin9eef0e51e656f31f60d9fe9d82878a98fe30372123215f7391f3e4983c67049c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7547 | 14836 bytes |
font_03_sfnt_off0000a3c4.bin5e069c651af388c9d1c46793672a95033926ecea19c95ad36686e36c52502565 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA3C4 | 4328 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.