MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure, specifically pointing to a URL designed to lure users into downloading an APK. The document body and extracted URLs reinforce this, showing a clear attempt to trick users into downloading 'Subway Surfers Paris APK' via a redirector. The presence of a large number of external PDF links also suggests a link farm, likely for SEO poisoning to increase visibility of the malicious download lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/wix?keyword=subway+surfers+paris+apk+download
- https://static.usrfiles.com/ugd/a91264_96c4ce3b237446fc82a75b2b88cf4b09.pdf
- https://static.usrfiles.com/ugd/f09a9d_b747fd3e791e465aad826939039da9e4.pdf
- https://static.usrfiles.com/ugd/b8c837_78e42a642473420a83e2b783dc661558.pdf
- https://static.usrfiles.com/ugd/18f527_87ac9a012c004ef18da265a285cd448f.pdf
- https://cdn.shopify.com/s/files/1/0433/9014/0581/files/22318633839.pdf
- https://cdn.shopify.com/s/files/1/0435/5099/8679/files/calculus_and_analytic_geometry_free_download.pdf
- https://cdn.shopify.com/s/files/1/0429/4760/8730/files/865895945.pdf
- https://cdn.shopify.com/s/files/1/0431/5856/9115/files/kijufidawaxo.pdf
- https://cdn.shopify.com/s/files/1/0434/8438/1337/files/jimisi.pdf
- https://cdn.shopify.com/s/files/1/0434/9624/3364/files/mapewujusinolivokekujodi.pdf
- https://cdn.shopify.com/s/files/1/0431/7321/6411/files/28139647201.pdf
- https://cdn.shopify.com/s/files/1/0433/8447/1710/files/woloriwuxake.pdf
- https://cdn.shopify.com/s/files/1/0433/6127/1959/files/sleep_apnea_patient_education.pdf
- https://cdn.shopify.com/s/files/1/0446/0825/8211/files/bareliviriwux.pdf
- https://cdn.shopify.com/s/files/1/0431/6944/8097/files/25056294118.pdf
- https://cdn.shopify.com/s/files/1/0430/8523/4338/files/9435087307.pdf
- https://cdn.shopify.com/s/files/1/0430/1006/4537/files/tiwixezeker.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004739.binca82ab68a4951f2981547ddd4780db1f776cb12cd339db938a7f5d53920c5bd0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4739 | 5536 bytes |
font_01_sfnt_off00005a2e.binf265e65f44f47074d37dab41149744c904802a7cf8581e33a8be8ab38f196526 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A2E | 10272 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.