MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a lure related to a Canadian visa application form, as indicated by the document body and the SE_INVOICE_LURE heuristic. It embeds a link to a redirector at 'https://ttraff.ru/pify?keyword=canadian+visa+application+form+5257', which is flagged as malicious. The PDF_SEO_LINK_FARM heuristic indicates a large number of embedded links, likely for SEO poisoning or to distribute malicious content. The file is identified as a PDF and the heuristics suggest it's designed to trick users into clicking malicious links.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=canadian+visa+application+form+5257
- http://files.followmechristian.org/uploads/1/3/1/3/131381839/7880190.pdf
- http://kuxuze.mybritneyspearscollection.com/uploads/1/3/1/3/131380042/3f6f38a481c0.pdf
- http://files.arkansasdoghuntersassociation.com/uploads/1/3/1/4/131437484/4305366.pdf
- http://nomur.chadandre.com/uploads/1/3/0/9/130968917/9283959.pdf
- http://golasegor.depthstiny.com/uploads/1/3/0/9/130969656/93e0194f9.pdf
- https://cdn.shopify.com/s/files/1/0431/8186/7176/files/20563515591.pdf
- https://cdn.shopify.com/s/files/1/0430/1769/9477/files/vopodamasasitinesimur.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/rafudegilezenetizaxesuvos.pdf
- https://cdn.shopify.com/s/files/1/0438/0455/7469/files/6445276017.pdf
- https://cdn.shopify.com/s/files/1/0431/0056/9766/files/answered_prayer_glorifies_god.pdf
- https://cdn.shopify.com/s/files/1/0437/7129/7943/files/68036634976.pdf
- https://cdn.shopify.com/s/files/1/0430/6491/8165/files/pathogenesis_of_hepatitis_b_virus_infection.pdf
- https://cdn.shopify.com/s/files/1/0433/0936/7461/files/uses_of_carica_papaya.pdf
- https://cdn.shopify.com/s/files/1/0440/2518/4421/files/2061272534.pdf
- https://cdn.shopify.com/s/files/1/0434/4463/3756/files/43581126320.pdf
- https://cdn.shopify.com/s/files/1/0438/6252/4069/files/albinism_in_humans.pdf
- https://cdn.shopify.com/s/files/1/0439/0594/1672/files/call_of_duty_app_store.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e014.bin4f290d6b5b100dadea371e3dafc9709d31ad78ad85cb70f1cc3f1bbc59062832 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE014 | 5604 bytes |
font_01_sfnt_off0000f31e.bin338c0e3b8b496440854dc43e782543b6cd875bd065913970ce42a59c4a3c98a7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF31E | 10748 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.