Malicious PDF — malware analysis report

Heuristics 4

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.club/wix?keyword=california+association+of+realtors+residential+lease+agreement+addendum

  • http://files.capeco-works.org/uploads/1/3/1/3/131379671/delivi.pdf
  • http://lowasixe.envisiongalleries.com/uploads/1/3/1/1/131163981/gukonel.pdf
  • http://files.weddingceremonypro.com/uploads/1/3/1/4/131482826/5307505.pdf
  • http://luwem.theemergencefoundation.com/uploads/1/3/0/7/130739906/wixuwadababorerewud.pdf
  • http://xejuvibem.tinman24.org/uploads/1/3/1/3/131380183/busifexuwo.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://4be267b1-4a50-4b11-9e77-43c7e2cd47bc.filesusr.com/ugd/c638b7_27fa2407c752450ba2b5d2d176a29ece.pdf?index=true
  • https://09623420-3e53-477e-8fa4-cfd1b5eb2771.filesusr.com/ugd/e7e4a0_d820f08659fc4589ac2eb2025ca5a045.pdf?index=true
  • https://152210ff-a879-4d44-a49c-ac56adb5b38e.filesusr.com/ugd/f9fac6_3d3cc75a4a9640168af9cec9db2ea2f6.pdf?index=true
  • https://eca7a8c7-1cfa-4271-b273-88b0d0357afb.filesusr.com/ugd/3cb679_8b39c737023541cb86c3f5d8cdef3c15.pdf?index=true
  • https://5ee60476-b056-4706-813c-cc81a16d759e.filesusr.com/ugd/63d3ad_4080fc1646e34f50991987f970d65b6d.pdf?index=true
  • https://cdn.shopify.com/s/files/1/0434/4591/1709/files/gsu_spring_break_2020.pdf
  • https://cdn.shopify.com/s/files/1/0435/4280/6679/files/renomuwulobinepodiju.pdf
  • https://cdn.shopify.com/s/files/1/0441/2126/0184/files/nonlinear_programming_bazaraa_solution_manual.pdf
  • https://7c29014d-6f77-4a64-843f-9996544ff37d.filesusr.com/ugd/3801ff_d2236593eb1048618dac83c14a93ac7a.pdf?index=true
  • https://1d52706e-08cb-4794-a06b-0e17a9b389e0.filesusr.com/ugd/5ad03d_3854259a468d41789d22a906410d8823.pdf?index=true
  • https://597a9ec7-4c28-414c-83e7-db1ffdfac1e2.filesusr.com/ugd/8d46c2_31dd4b02d5614a5d8efb3740d202e33d.pdf?index=true
  • https://a456a27d-6954-44e5-9f1f-79fd5328a2c7.filesusr.com/ugd/a0905b_ea5790cca26c4faba7b9e2b154d7a5b7.pdf?index=true
  • https://92868824-4d75-4e5e-bacd-4b140510bc9c.filesusr.com/ugd/90423f_970aed8ff8c34819afae76374cc33596.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.