MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains numerous embedded links, identified as a PDF link farm, with the primary malicious redirector found at ttraff.ru. The document body, though heavily obfuscated, contains text related to 'Bga eitim seti pdf' and mentions wkhtmltopdf, suggesting it's a lure document. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms the link to ttraff.ru is malicious, and PDF_SEO_LINK_FARM indicates a large number of links pointing to Shopify-hosted PDFs, likely to obscure the final malicious destination.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=bga+e%25C4%259Fitim+seti+pdf
- http://files.shatteredshackles.com/uploads/1/3/1/3/131379054/zugusobin-dukozakafexi.pdf
- http://files.emilycatherines.org/uploads/1/3/1/3/131380021/7878104.pdf
- http://files.elizabeth-mendenhall.com/uploads/1/3/1/3/131383825/13a72db332.pdf
- https://cdn.shopify.com/s/files/1/0434/3506/5505/files/vifewebabogofa.pdf
- https://cdn.shopify.com/s/files/1/0430/1763/3949/files/jikeruwux.pdf
- https://cdn.shopify.com/s/files/1/0433/5622/5688/files/10220636726.pdf
- https://cdn.shopify.com/s/files/1/0430/0118/4417/files/77547518047.pdf
- https://cdn.shopify.com/s/files/1/0434/5665/9621/files/59771592617.pdf
- https://cdn.shopify.com/s/files/1/0436/3137/8590/files/taluvalukeduruva.pdf
- https://cdn.shopify.com/s/files/1/0429/6704/0154/files/98142111885.pdf
- https://cdn.shopify.com/s/files/1/0438/2654/4802/files/43367247704.pdf
- https://cdn.shopify.com/s/files/1/0434/4469/9288/files/vulodimefokasadagovid.pdf
- https://cdn.shopify.com/s/files/1/0431/7780/3931/files/41182481228.pdf
- https://cdn.shopify.com/s/files/1/0429/7680/5023/files/57688012522.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nebedaxogatasimilore.pdf
- https://cdn.shopify.com/s/files/1/0435/8271/8107/files/sowoderixediwurawasop.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00017774.binebc0c66205eecaa15b97408e97b4ca266c1ef79c221d6a066ab8c4dd73ae161d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17774 | 2884 bytes |
font_01_sfnt_off000181a3.bin0133471e119cd1048612f060fcf3853e75ce86cb9fbee46c2749e3b4197622f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x181A3 | 2512 bytes |
font_02_sfnt_off00018c92.bine495b8215738231bd7307f706f0e0a2edadcb74b0c3a0edfe84ee39f2c6f2489 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18C92 | 5084 bytes |
font_03_sfnt_off00019d78.binc1ee04c582367193397ee30f713e2cc0c0cf75a635e0a6da60ac4465b068ec3b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19D78 | 17580 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.