MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file exhibits malicious behavior through a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'https://ttraff.ru/pify?keyword=book+to+learn+mandarin+pdf'. Additionally, it contains a PDF link farm, as indicated by the PDF_SEO_LINK_FARM heuristic, with numerous links to external PDFs hosted on platforms like shopify.com. The presence of a visual download button lure further suggests an attempt to entice user interaction. The primary intent appears to be directing users to malicious or deceptive content via these links.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=book+to+learn+mandarin+pdf
- http://files.anitashackelford.net/uploads/1/3/1/4/131438459/dipixuxi-mosafatamij-xanetubovu.pdf
- http://files.itanecoleman.com/uploads/1/3/1/4/131437318/3061225.pdf
- http://files.challengethewind.org/uploads/1/3/2/6/132681464/kukusagaxenizokek.pdf
- https://cdn.shopify.com/s/files/1/0434/3519/6566/files/71464844332.pdf
- https://cdn.shopify.com/s/files/1/0427/8334/2748/files/lazowedoxakodujimovopajod.pdf
- https://cdn.shopify.com/s/files/1/0429/2784/9639/files/zapinaduwiruzuxekikifole.pdf
- https://cdn.shopify.com/s/files/1/0431/5791/3757/files/lexutopigutoxez.pdf
- https://cdn.shopify.com/s/files/1/0433/3302/5960/files/area_of_different_shapes_worksheet.pdf
- https://cdn.shopify.com/s/files/1/0434/4545/2967/files/72392023830.pdf
- https://cdn.shopify.com/s/files/1/0438/1717/3152/files/fesuzibesuvenomola.pdf
- https://cdn.shopify.com/s/files/1/0438/4853/2128/files/lemesesiwubulaluje.pdf
- https://cdn.shopify.com/s/files/1/0433/6982/4414/files/37470632124.pdf
- https://cdn.shopify.com/s/files/1/0429/8774/9525/files/84261796496.pdf
- https://cdn.shopify.com/s/files/1/0432/2846/3271/files/cricut_user_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0431/5791/3757/fi
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000086e8.binfe621318fd43f98f2b9861dab3fd5f4d835544ed56eefa01881a0bef0ef883d5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x86E8 | 3192 bytes |
font_01_sfnt_off00009257.bin509378b4daa5230b4de4c4c07e2645593fba85955c5e18ce2602097281794341 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9257 | 5124 bytes |
font_02_sfnt_off0000a3b2.bin3604c16eff4204f8618ad4207fe0c7daa782233a7c9376a383a131414013dbf9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA3B2 | 10008 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.