MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates a malicious redirector link (https://ttraff.cc/pify?keyword=best+kotor+2+mods), suggesting the document is designed to redirect users to malicious sites. The presence of numerous other PDF links, many hosted on Shopify, further supports the idea of a link farm used for SEO manipulation or to obscure the final malicious destination. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=best+kotor+2+mods
- http://files.handbuiltvans.com/uploads/1/3/0/9/130969681/tewepimaj_kiwomemam.pdf
- http://files.wisteria-cottage.com/uploads/1/3/1/4/131438784/teratizewezudali.pdf
- http://files.parentlednetwork.org/uploads/1/3/0/8/130813781/6a072.pdf
- http://files.remedysuppliesllc.com/uploads/1/3/1/4/131453022/8882996.pdf
- http://files.stevenstackplaywright.com/uploads/1/3/1/4/131453574/vejogogisogira.pdf
- https://cdn.shopify.com/s/files/1/0433/0287/9387/files/java_iterate_through_hashmap.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rabilividobakomitunaxizug.pdf
- https://cdn.shopify.com/s/files/1/0432/3164/1767/files/penovimi.pdf
- https://cdn.shopify.com/s/files/1/0432/8315/3056/files/39239458496.pdf
- https://cdn.shopify.com/s/files/1/0437/6051/7269/files/dapikisuvepinemifotum.pdf
- https://cdn.shopify.com/s/files/1/0429/1729/8329/files/pink_sober_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0432/4484/7266/files/crafted_2d_minecraft.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/60233972239.pdf
- https://cdn.shopify.com/s/files/1/0433/3905/5253/files/18568970049.pdf
- https://cdn.shopify.com/s/files/1/0428/4504/4892/files/tavexejejejipu.pdf
- https://cdn.shopify.com/s/files/1/0433/0323/9840/files/heap_implementation_in_c.pdf
- https://cdn.shopify.com/s/files/1/0433/2643/9582/files/12646521616.pdf
- https://cdn.shopify.com/s/files/1/0429/0933/5715/files/pojonijogez.pdf
- https://cdn.shopify.com/s/files/1/0431/4021/9037/files/cub_cadet_st_100.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000067dd.bin341f9e3075441b6988b3290613f5e5693a0017a0c829201ffcf5f11b69ff112e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x67DD | 4976 bytes |
font_01_sfnt_off000078ba.bin1f0113efea3973f28d0685ef92743fc8b3aa6f0e53c5dbcb92b9ac6dc14f5ffa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x78BA | 9776 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.