MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/pify?keyword=table+of+contents+latex+template'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same redirector URL and a reference to 'wkhtmltopdf', suggesting it was generated by a tool. The primary attack pattern involves luring the user to click the malicious link, which then redirects to further malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=table+of+contents+latex+template
- http://files.j2bllc.com/uploads/1/3/2/6/132681322/39b2ce7fed05.pdf
- https://cdn.shopify.com/s/files/1/0433/0304/3230/files/sikejunuxidawurexam.pdf
- https://cdn.shopify.com/s/files/1/0433/8017/9107/files/38109212061.pdf
- https://cdn.shopify.com/s/files/1/0433/3335/3627/files/auditing_notes.pdf
- https://cdn.shopify.com/s/files/1/0428/3629/5836/files/download_schoolboy_q_oxymoron.pdf
- https://cdn.shopify.com/s/files/1/0429/7257/7946/files/68926536587.pdf
- https://cdn.shopify.com/s/files/1/0443/0174/6332/files/fundamentals_of_python_2nd_edition.pdf
- https://cdn.shopify.com/s/files/1/0463/3113/4113/files/pikejeroxawirezavejejo.pdf
- https://cdn.shopify.com/s/files/1/0433/9548/1750/files/cavalieri_dello_zodiaco_hades_ita.pdf
- https://cdn.shopify.com/s/files/1/0432/5382/5704/files/36978007.pdf
- https://cdn.shopify.com/s/files/1/0432/6824/3614/files/advantages_and_disadvantages_of_online_examination_system.pdf
- https://cdn.shopify.com/s/files/1/0431/1636/3927/files/rebapev.pdf
- https://cdn.shopify.com/s/files/1/0437/4292/0869/files/rabaxolidirulepobu.pdf
- https://cdn.shopify.com/s/files/1/0430/8130/2167/files/collecting_data_from_multiple_excel_spreadsheets.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/1636/39
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000067c9.binad0d139e55f8ad8c9f38e362db0850631f06b4a0402e02a402b20841bc7d96da |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x67C9 | 5220 bytes |
font_01_sfnt_off00007988.bin39bfce20a9c38cd842e4417a4ef222d79e776d63a9bec9a27a9c3557d58b025b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7988 | 10736 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.