MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a prominent link that redirects to a malicious URL, disguised as a business contract agreement. This is further supported by heuristics indicating a malicious redirector and a link farm, suggesting an attempt to lure users to malicious content. No scripts were extracted, but the embedded link and document structure strongly indicate a phishing or redirection attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=business+contract+agreement+sample+pdf
- http://katus.deliverydoula.com/uploads/1/3/1/3/131383483/gazurebafel-gowujiremezogo.pdf
- http://files.twiggardens.com/uploads/1/3/1/1/131163533/dokelutawa_bajobuxarir_fusuzet_pinuzu.pdf
- http://fulew.leftyyang.com/uploads/1/3/1/6/131607163/872205.pdf
- http://files.thetalentz.com/uploads/1/3/1/4/131438324/8700017.pdf
- http://files.worklifespanish.com/uploads/1/3/1/3/131398440/2ea150a42a2.pdf
- https://cdn.shopify.com/s/files/1/0432/8806/8254/files/dotizolejirikizugafep.pdf
- https://cdn.shopify.com/s/files/1/0431/4926/3004/files/34807052727.pdf
- https://cdn.shopify.com/s/files/1/0429/5327/7603/files/xcii_in_roman_numerals.pdf
- https://cdn.shopify.com/s/files/1/0429/8014/7359/files/33819568752.pdf
- https://cdn.shopify.com/s/files/1/0446/7530/1539/files/bronchopneumonia_in_child.pdf
- https://cdn.shopify.com/s/files/1/0438/0708/0605/files/videnedod.pdf
- https://cdn.shopify.com/s/files/1/0437/2247/3624/files/metabolic_syndrome_articles.pdf
- https://cdn.shopify.com/s/files/1/0446/7975/7977/files/graveyard_keeper_hops_seeds.pdf
- https://cdn.shopify.com/s/files/1/0430/1104/7575/files/jodisufoku.pdf
- https://cdn.shopify.com/s/files/1/0427/6381/3020/files/kevomipunezinukap.pdf
- https://cdn.shopify.com/s/files/1/0429/2391/7475/files/lupobupexinesoxetodoned.pdf
- https://cdn.shopify.com/s/files/1/0441/1087/2728/files/xidoxinififu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006835.bin7ae9999f800b8e6c5b9d6462e5801b9dadac431c2b63d9dd14051a7892eeb7a2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6835 | 5524 bytes |
font_01_sfnt_off00007ae3.bin50a2635469cabd2c90e7b5b7061241e4b6d42e213f9e143278f09fef975f4073 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7AE3 | 10536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.