MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=pogathe+pogathe+mp3'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also exhibits characteristics of a link farm, with numerous embedded links, many pointing to benign Shopify domains, likely to obscure the malicious redirector. No scripts were extracted from this sample.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=pogathe+pogathe+mp3
- https://cdn.shopify.com/s/files/1/0429/9302/5187/files/karusubuzelibu.pdf
- https://cdn.shopify.com/s/files/1/0432/9875/0629/files/venedojejivarejemononenu.pdf
- https://cdn.shopify.com/s/files/1/0438/5977/1557/files/59364972537.pdf
- https://cdn.shopify.com/s/files/1/0433/1605/2123/files/18304622023.pdf
- https://cdn.shopify.com/s/files/1/0431/0866/3456/files/98129527160.pdf
- https://cdn.shopify.com/s/files/1/0428/9105/1161/files/34462185980.pdf
- https://cdn.shopify.com/s/files/1/0433/6241/8847/files/2002_polaris_sportsman_500_repair_ma.pdf
- https://cdn.shopify.com/s/files/1/0439/1780/3675/files/sanuxupefitibemenaz.pdf
- https://cdn.shopify.com/s/files/1/0435/5440/6561/files/29847575419.pdf
- https://cdn.shopify.com/s/files/1/0437/6523/5866/files/wikozopasidot.pdf
- https://cdn.shopify.com/s/files/1/0431/5276/9192/files/22051890658.pdf
- https://cdn.shopify.com/s/files/1/0429/1425/0905/files/bevabu.pdf
- https://cdn.shopify.com/s/files/1/0432/3305/0779/files/18268450999.pdf
- https://cdn.shopify.com/s/files/1/0428/9894/8255/files/medupipiluwugilaxexiw.pdf
- https://cdn.shopify.com/s/files/1/0432/4461/7885/files/87928612279.pdf
- https://cdn.shopify.com/s/files/1/0428/7440/5023/files/risevepi.pdf
- https://cdn.shopify.com/s/files/1/0430/8631/5682/files/xukowovemed.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006309.binddeb8a4159ebb8b3d00a6d53dc0dc9d8826e0bbe9dea87faa9c496ba8ff0b394 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6309 | 4224 bytes |
font_01_sfnt_off000070df.binf4e34c35bca20e34385382f1bd604e7f7bd9fded1ba935984295b43d8be83385 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x70DF | 5092 bytes |
font_02_sfnt_off00008219.bind56779d3a4eea5392c3f18c5bbd7a90cb891d0d4cc37eb3d156e00fc8e83a1b5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8219 | 2856 bytes |
font_03_sfnt_off00008e2d.bindc426290a4e573636fc9a09897935a901fac46cc533c0961b4f2156037c2e66f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8E2D | 11424 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.