MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file was identified as malicious due to a high density of embedded links, many of which point to external resources. One critical heuristic flagged a link to a known malicious redirector at 'https://ttraff.com/pify?keyword=smiley+face+stickers'. Another heuristic indicated a large PDF link farm, with many links hosted on 'cdn.shopify.com'. The document body contains garbled text but also includes the malicious redirector URL and several Shopify URLs, suggesting a lure to entice users to click through to potentially harmful content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=smiley+face+stickers
- http://files.moondarraarabians.com/uploads/1/3/1/4/131483108/kadimijadod_nedijupagofa_xurewidubenuw.pdf
- http://files.cresaptowneagles2883.com/uploads/1/3/2/7/132740285/6627144.pdf
- http://files.collinscovecottage.com/uploads/1/3/1/4/131406288/zuwewokekuti.pdf
- http://files.swagatabanerjee.com/uploads/1/3/1/4/131406650/noxikewiwifidi-luriner-junomu.pdf
- https://cdn.shopify.com/s/files/1/0433/3443/4969/files/lunaluxenepesubigebofo.pdf
- https://cdn.shopify.com/s/files/1/0429/9590/8761/files/76071245120.pdf
- https://cdn.shopify.com/s/files/1/0429/1143/2857/files/46501169310.pdf
- https://cdn.shopify.com/s/files/1/0427/7737/8972/files/wibuvixikobenul.pdf
- https://cdn.shopify.com/s/files/1/0428/1214/5823/files/69363914629.pdf
- https://cdn.shopify.com/s/files/1/0436/1263/5299/files/cheating_cookie_clicker.pdf
- https://cdn.shopify.com/s/files/1/0430/0531/3177/files/nivasipazufoxanidorufuvor.pdf
- https://cdn.shopify.com/s/files/1/0429/5085/2762/files/wejujedopobuzuwezinu.pdf
- https://cdn.shopify.com/s/files/1/0434/8890/3325/files/87788459225.pdf
- https://cdn.shopify.com/s/files/1/0434/8438/1337/files/rekafazizavusaduloguxe.pdf
- https://cdn.shopify.com/s/files/1/0432/6971/8182/files/82778025321.pdf
- https://cdn.shopify.com/s/files/1/0435/7701/6483/files/pemaxud.pdf
- https://cdn.shopify.com/s/files/1/0432/4953/3088/files/radio_shack_basic_electronics.pdf
- https://cdn.shopify.com/s/files/1/0430/8992/0154/files/how_to_set_day_in_minecraft.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0434/8438/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006ede.binaa305d0380a0d04fd3eb72156c4cd76c42e45ccb48814add1bf8dd9951bde5be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6EDE | 5296 bytes |
font_01_sfnt_off000080d8.binfaa2fd1052c23c013d22e334d296ad0ff6f23294a6ac86a905c1c2fa957e398f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x80D8 | 13168 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.