MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains numerous embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL, https://ttraff.com/pify?keyword=kuensel+calendar+2020+pdf+download, is used to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains references to this malicious URL and a benign-looking PDF, suggesting a lure to download a file that ultimately leads to malicious infrastructure. The presence of many Shopify links suggests an attempt to blend in with legitimate content.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=kuensel+calendar+2020+pdf+download
- http://files.maschmeyer.com/uploads/1/3/1/3/131378838/putedogovo-piretelaso-bonuwezi.pdf
- http://files.bikeforlifesd.org/uploads/1/3/2/6/132682802/peguko-safewarosamesu-kafivilozobo.pdf
- http://files.dukeunccls.com/uploads/1/3/1/4/131483371/6017493.pdf
- http://piside.monaghantidytowns.com/uploads/1/3/0/7/130738531/rawokurev.pdf
- https://cdn.shopify.com/s/files/1/0440/9799/4904/files/70008834781.pdf
- https://cdn.shopify.com/s/files/1/0433/0776/1819/files/2323625901.pdf
- https://cdn.shopify.com/s/files/1/0427/7318/4678/files/36473860227.pdf
- https://cdn.shopify.com/s/files/1/0434/5413/6473/files/how_to_anonymize_adobes.pdf
- https://cdn.shopify.com/s/files/1/0435/5611/0487/files/86286446900.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/92702877098.pdf
- https://cdn.shopify.com/s/files/1/0444/4350/0710/files/31065591976.pdf
- https://cdn.shopify.com/s/files/1/0435/2340/8032/files/81231932075.pdf
- https://cdn.shopify.com/s/files/1/0430/5934/7618/files/vikobujuxexedetip.pdf
- https://cdn.shopify.com/s/files/1/0430/7111/1330/files/free_form_filler_software.pdf
- https://cdn.shopify.com/s/files/1/0429/4619/9711/files/46951687578.pdf
- https://cdn.shopify.com/s/files/1/0432/6552/3862/files/37304835182.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005bf4.binbc78286fbb1432c4ee71cb1132b0d7fad659802321d1fffbabcca85935da3b73 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5BF4 | 5484 bytes |
font_01_sfnt_off00006ecb.bin05f002fbe2dafaf9ff3a91415ac4de6fc5120697e93b7d77852534f9b64c6f9d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6ECB | 11116 bytes |
font_02_sfnt_off000086e2.binc14a7261fc73024d8eb5a71744047bba87e284d88f493d6fd64b95d3292805af |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x86E2 | 2448 bytes |
font_03_sfnt_off0000918d.bin65ce7be32060f512d926dfe51596a587878b372b456ba5961b7472b095354218 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x918D | 9880 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.