MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded links, with one identified as a malicious redirector. The document body is heavily obfuscated but contains the malicious URL. The presence of numerous links suggests a link farm or phishing attempt designed to lead users to malicious content. No scripts were extracted, limiting further analysis of specific behaviors.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=wolf+knight+greatshield
- http://files.thebannedunderground.com/uploads/1/3/1/8/131856991/wutudumagolop.pdf
- http://files.esperrealms.com/uploads/1/3/1/4/131453615/gagiloxa.pdf
- http://files.macdonaldsfarmersalmanac.com/uploads/1/3/1/4/131407067/724034.pdf
- http://files.tandemmom.com/uploads/1/3/0/8/130813692/givamono.pdf
- http://files.lecontent.eu/uploads/1/3/2/8/132814022/luwijomarivusopojum.pdf
- https://cdn.shopify.com/s/files/1/0434/2287/5797/files/74386065286.pdf
- https://cdn.shopify.com/s/files/1/0432/2174/5822/files/widole.pdf
- https://cdn.shopify.com/s/files/1/0434/2562/8316/files/service_host_sysmain.pdf
- https://cdn.shopify.com/s/files/1/0431/5719/2853/files/jokuxabetowidoninoposuw.pdf
- https://cdn.shopify.com/s/files/1/0432/0159/3502/files/79473177520.pdf
- https://cdn.shopify.com/s/files/1/0434/5744/6038/files/15196786701.pdf
- https://cdn.shopify.com/s/files/1/0435/4244/6231/files/48461356122.pdf
- https://cdn.shopify.com/s/files/1/0435/2029/5064/files/25476853319.pdf
- https://cdn.shopify.com/s/files/1/0431/8891/2290/files/wodoferino.pdf
- https://cdn.shopify.com/s/files/1/0433/4131/6249/files/nofexejusivinoz.pdf
- https://cdn.shopify.com/s/files/1/0430/8205/5842/files/vetit.pdf
- https://cdn.shopify.com/s/files/1/0439/8628/8798/files/xipilonitoxizugotogowinag.pdf
- https://cdn.shopify.com/s/files/1/0435/5093/3156/files/apache_poi_tutorial_pdf_download.pdf
- https://cdn.shopify.com/s/files/1/0431/4241/4492/files/colander_microeconomics.pdf
- https://cdn.shopify.com/s/files/1/0430/4896/0151/files/viporetak.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006330.binbb4d77290b20d2184ecd3b2bca79ea93e53b78e99841161c4e57a68fec42af8e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6330 | 5244 bytes |
font_01_sfnt_off0000750f.bin73bb6d35932f7bd97d73aca523631a010defe9ae568228929c48aa7ddb0e6086 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x750F | 13596 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.