MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF SEO link farm, with numerous links to external PDFs, many hosted on Shopify. The document body, though heavily obfuscated, appears to contain text related to a tour, suggesting a lure to entice users to click the malicious link. No scripts were extracted, but the presence of a malicious redirector is a strong indicator of malicious intent.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=upper+antelope+canyon+guided+sightseer%2527+s+tour
- http://files.smsphonefix.com/uploads/1/3/1/6/131606208/c636cc0825a.pdf
- http://files.timothycolbert.com/uploads/1/3/1/1/131164351/jijarijuj.pdf
- http://files.leswilkesphotographer.com/uploads/1/3/2/7/132712139/2622228.pdf
- http://files.theonealexyoung.com/uploads/1/3/1/3/131384568/9114419.pdf
- http://files.asbeautbar.com/uploads/1/3/1/6/131606159/manaw-wunavonaforaluk.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51982080438.pdf
- https://cdn.shopify.com/s/files/1/0430/9296/7581/files/kepunezifuwumozo.pdf
- https://cdn.shopify.com/s/files/1/0432/6316/4580/files/girirunujitofu.pdf
- https://cdn.shopify.com/s/files/1/0430/5459/6250/files/vozopilu.pdf
- https://cdn.shopify.com/s/files/1/0432/3373/8911/files/faxarujigegedusarora.pdf
- https://cdn.shopify.com/s/files/1/0428/1624/1831/files/84670337689.pdf
- https://cdn.shopify.com/s/files/1/0432/2358/0830/files/5641983455.pdf
- https://cdn.shopify.com/s/files/1/0434/0505/0008/files/92537112646.pdf
- https://cdn.shopify.com/s/files/1/0429/6779/3820/files/96898164972.pdf
- https://cdn.shopify.com/s/files/1/0428/4183/3635/files/96935217022.pdf
- https://cdn.shopify.com/s/files/1/0435/4116/8283/files/57508509041.pdf
- https://cdn.shopify.com/s/files/1/0431/2809/4882/files/sasuro.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/files/1/0432/6316/4580/files/girir
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007eab.bin3c5001332d1221cfc663ad26151e2359bf2be4c573600f9b30be1ccb38396999 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7EAB | 5344 bytes |
font_01_sfnt_off000090da.bin235e726e3001094c88a6d833f3b2b27d95e423b11eec30af544ebe18d1d318cd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x90DA | 10340 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.