MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains heuristics indicating it's a malicious redirector and part of an advance-fee scam lure. The document body, though heavily obfuscated, contains a URL that is also flagged as malicious. The primary attack pattern involves tricking the user into clicking the embedded link, which leads to a known malicious redirector.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=luigi%2527+s+mansion+3ds+remake+guide
- https://cdn.shopify.com/s/files/1/0427/9002/7430/files/african_belief_system.pdf
- https://cdn.shopify.com/s/files/1/0430/0141/3785/files/request_leave_form.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/23313492251.pdf
- https://cdn.shopify.com/s/files/1/0434/3152/6557/files/jalalu.pdf
- https://cdn.shopify.com/s/files/1/0432/3452/5352/files/stock_inventory_spreadsheet.pdf
- https://cdn.shopify.com/s/files/1/0428/0057/8723/files/rifekuli.pdf
- https://cdn.shopify.com/s/files/1/0434/5351/3881/files/mivarimizavuba.pdf
- https://cdn.shopify.com/s/files/1/0431/8747/0496/files/duxulit.pdf
- https://cdn.shopify.com/s/files/1/0430/1013/0073/files/58061919617.pdf
- https://static.usrfiles.com/ugd/b463f2_b87bd9ee687c4aff8b64e7e260db0dfb.pdf
- https://static.usrfiles.com/ugd/6846fe_fffa800750284f37a1c45167826dff06.pdf
- https://static.usrfiles.com/ugd/4d6844_34d972f4326c489bad339cd33cb999e1.pdf
- https://static.usrfiles.com/ugd/07ef24_f89ab2a0a5c94a65bfacb5c1b362a2de.pdf
- https://static.usrfiles.com/ugd/837d34_17abfc35f9b2462fad38ee17f634a3cc.pdf
- https://cdn.shopify.com/s/files/1/0437/4354/3450/files/davanetepotanowoz.pdf
- https://cdn.shopify.com/s/files/1/0430/6193/6285/files/3102147602.pdf
- https://cdn.shopify.com/s/files/1/0435/0250/2048/files/nukotuzibebikumumotamas.pdf
- https://cdn.shopify.com/s/files/1/0432/7702/5446/files/posaxuvasivoloxobulukas.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001d78e.binec6c13b1900b2e5bbd4cb8ce21f926d5001efda38dc609d37863f8a48ff5ecc4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1D78E | 5316 bytes |
font_01_sfnt_off0001e997.bincaa78a210e506ac7c668649391b208fd846a2148b23e3695c3934b163165014c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1E997 | 14980 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.