MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link farm designed to appear as legitimate content, specifically CAE speaking part 1 questions. The primary malicious URL, https://ttraff.cc/pify?keyword=cae+speaking+part+1+questions+list+pdf, is a known redirector. The document body is heavily obfuscated, but the presence of multiple embedded URLs pointing to various domains, many of which are dynamically generated, indicates a likely attempt to distribute further malicious content or phishing pages.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=cae+speaking+part+1+questions+list+pdf
- http://tudagevep.akyeraalexiphotography.com/uploads/1/3/1/4/131483281/8256246.pdf
- http://viweni.fredcarmichaelsafety.com/uploads/1/3/2/7/132712207/a6e7680aa4412.pdf
- http://files.silasclifford-smith.com/uploads/1/3/0/7/130775002/6030341.pdf
- http://files.kristinacourt.com/uploads/1/3/2/6/132683267/siwipel.pdf
- http://bepaj.reginacoupar.ca/uploads/1/3/1/4/131483492/5616498.pdf
- https://cdn.shopify.com/s/files/1/0429/8709/4177/files/67548216167.pdf
- https://cdn.shopify.com/s/files/1/0433/7372/3800/files/29156982937.pdf
- https://cdn.shopify.com/s/files/1/0434/7097/9238/files/zutigirowovaledobafa.pdf
- https://cdn.shopify.com/s/files/1/0430/3778/6266/files/wupivinugagulotawalilu.pdf
- https://cdn.shopify.com/s/files/1/0428/4973/0727/files/void_pro_rgb_wireless.pdf
- https://cdn.shopify.com/s/files/1/0436/6660/4182/files/lutexamu.pdf
- https://cdn.shopify.com/s/files/1/0432/1466/7936/files/29395070412.pdf
- https://cdn.shopify.com/s/files/1/0430/6599/9511/files/multiply_2x2_matrix.pdf
- https://cdn.shopify.com/s/files/1/0433/5838/8374/files/todexogi.pdf
- https://cdn.shopify.com/s/files/1/0434/1510/9797/files/kendrick_lamar_dna_lyrics.pdf
- https://cdn.shopify.com/s/files/1/0435/7862/2111/files/66298409593.pdf
- https://cdn.shopify.com/s/files/1/0438/4954/7936/files/tegobasaliributenonokin.pdf
- https://cdn.shopify.com/s/files/1/0429/9456/5271/files/17287099387.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000069f2.bina83ae69cc0c341bf090848e74df50fd38c2d0eb9f5128465e992433ba1184761 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69F2 | 5356 bytes |
font_01_sfnt_off00007c38.bindad374e26a35d87e17002a434e2a693c9a6e36243477153d9e0aa678bc39f804 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7C38 | 10280 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.