MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a lure related to a Canadian visa application form, which is a common tactic for phishing and scam attempts. It embeds a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The PDF also contains a large number of external links, suggesting a link farm for SEO manipulation or to distribute malicious content. The presence of invoice or payment language further supports the scam lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=canada+visa+application+form+pdf+imm+5257
- http://files.joyofmakeup.ca/uploads/1/3/1/0/131069887/jegosobumega_savogik_wojefukisanule.pdf
- http://files.waterworks.nu/uploads/1/3/0/9/130969748/tuvimusasul.pdf
- http://files.fjordsar.com/uploads/1/3/1/6/131637773/katuzarato.pdf
- https://cdn.shopify.com/s/files/1/0433/1008/8342/files/python_print_without_new_line.pdf
- https://cdn.shopify.com/s/files/1/0437/6199/1829/files/asfixia_libro_alex_mirez.pdf
- https://cdn.shopify.com/s/files/1/0437/6064/8343/files/zilebipelolulaze.pdf
- https://cdn.shopify.com/s/files/1/0428/9354/1535/files/siditinonivi.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kuzizurogepibisomagin.pdf
- https://cdn.shopify.com/s/files/1/0429/6422/2101/files/sparknotes_romeo_and_juliet_act_4.pdf
- https://cdn.shopify.com/s/files/1/0431/7410/1149/files/47605456031.pdf
- https://cdn.shopify.com/s/files/1/0437/0091/2278/files/jusab.pdf
- https://cdn.shopify.com/s/files/1/0437/1313/4757/files/mepisazazefufitogu.pdf
- https://cdn.shopify.com/s/files/1/0433/8122/7672/files/93655991562.pdf
- https://cdn.shopify.com/s/files/1/0433/5756/9176/files/ripasimudopototeweg.pdf
- https://cdn.shopify.com/s/files/1/0428/9105/1161/files/41471609369.pdf
- https://cdn.shopify.com/s/files/1/0437/0874/3835/files/business_process_management_jeston.pdf
- https://cdn.shopify.com/s/files/1/0433/5727/4270/files/15881797433.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e289.bin726d867a1dd343477b7427509e52788a1ca8eaa81de7c2695521683b86182611 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE289 | 5604 bytes |
font_01_sfnt_off0000f595.binbc8dd633de4399a3d4295d5cd5017faac126a93b28f895a1f8b908a07116dc80 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF595 | 10748 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.