MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One of these links, found in the document body, redirects to malicious infrastructure via ttraff.ru. The presence of a download button lure further supports the malicious intent. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=chalkduster+font+free++windows
- http://files.banditaerialproductions.net/uploads/1/3/2/3/132302892/xosesefu_naxotoweguvone_guxakedofi_wuvipilit.pdf
- http://kixuza.gcsecs.com/uploads/1/3/0/9/130969465/kitosob-bedevutolav-poxirekatogu-gadejiv.pdf
- http://mewis.t9corp.com/uploads/1/3/0/7/130775565/0c459.pdf
- http://files.drrebeccaaptekersandtonpsychology.com/uploads/1/3/0/7/130740625/c543f0c.pdf
- http://files.tracystreks.com/uploads/1/3/1/4/131411197/6909191.pdf
- https://cdn.shopify.com/s/files/1/0436/1610/8701/files/50072635109.pdf
- https://cdn.shopify.com/s/files/1/0429/1903/5033/files/90157998400.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52665001447.pdf
- https://cdn.shopify.com/s/files/1/0429/0835/2679/files/wabunoji.pdf
- https://cdn.shopify.com/s/files/1/0430/7124/2389/files/toxijov.pdf
- https://cdn.shopify.com/s/files/1/0429/3237/1622/files/28248769019.pdf
- https://cdn.shopify.com/s/files/1/0430/7301/1863/files/lysol_disinfectant_spray_msds_sheets.pdf
- https://cdn.shopify.com/s/files/1/0429/5481/7690/files/valonupedeke.pdf
- https://cdn.shopify.com/s/files/1/0430/3798/2869/files/baxisiba.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006587.bin22de88b1c0d07a59b2821642dc200d6d9e211d35bdad5c9ce05d79a6c8fdb677 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6587 | 2832 bytes |
font_01_sfnt_off00006f6b.bin50bd8db5ff9a0f03ea6ac0366ab4ff273dceb6ff0c6101ac0faff1fd52ccc92d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6F6B | 6168 bytes |
font_02_sfnt_off00007f0d.binb53a9605971694cfa7e2b658b568c5667cd4c673697aaee748038f997bb96663 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F0D | 5056 bytes |
font_03_sfnt_off00009043.bin8f044b01b46f311dd541962841be3a3c0330694ee1d90e81f0aa2d53b117f577 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9043 | 43616 bytes |
font_04_sfnt_off0000e80c.binfb27248ec02d804caa0ce6a8dd06a8f0f211157336bc50f6c382585ff5fe3da3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE80C | 16084 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.