MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, with one critical heuristic firing indicating it's a malicious redirector. The primary malicious URL identified is https://ttraff.link/wix?keyword=kingdom+hearts+birth+by+sleep+psp+melding+guide. The document body appears to be heavily obfuscated, but the presence of the malicious URL and the link farm heuristic strongly suggest a phishing or redirection attack.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=kingdom+hearts+birth+by+sleep+psp+melding+guide
- http://files.paintersincentrallondon.co.uk/uploads/1/3/2/8/132814276/fezinogoxamapinato.pdf
- http://rawejijij.1301university.com/uploads/1/3/1/3/131398348/lagam.pdf
- http://witimis.drbgeography.com/uploads/1/3/1/4/131454440/a7002.pdf
- http://files.4-ucorp.com/uploads/1/3/0/7/130739567/7385382.pdf
- https://5bd4ed93-ff6f-43d4-aed8-f646dd6e8831.filesusr.com/ugd/d8966e_56f6f8a7885646fbbe587a7955396897.pdf?index=true
- https://442c705a-213e-4e52-a9ec-4c5455595e97.filesusr.com/ugd/1479de_531886e3bac84a7ebdd5787a0aa74d97.pdf?index=true
- https://6181ba12-faff-4819-b2a3-c6e4dffd8993.filesusr.com/ugd/e5a943_29dec0251ead446fb1cbe19a57eeb41d.pdf?index=true
- https://87db592f-b913-483d-b6c4-2f9b8bd24cf4.filesusr.com/ugd/a474dd_938dd23d6ced41b6876c29186de4845d.pdf?index=true
- https://a430c077-80b6-4b08-91cb-20ad0259bdf5.filesusr.com/ugd/592671_51ac742a44dc4c8e809251334a53a2c4.pdf?index=true
- https://c10edef0-ffbd-4fdc-8323-b1f2c5adc260.filesusr.com/ugd/930050_803c7c7a2718428db386994807710380.pdf?index=true
- https://edcc47e0-7194-4c5a-ad30-8f8398e1dd18.filesusr.com/ugd/77d535_63413b84b8234198bfae0f0719f44480.pdf?index=true
- https://1b9156c8-a09e-4d12-a9db-1d9e594ef09c.filesusr.com/ugd/0cd019_79c55fce568b42c3b4dee5129ca5d2f4.pdf?index=true
- https://5fc0b876-a0f8-443f-998b-bb5170a55a4f.filesusr.com/ugd/83b1b3_ddd81965e3e041c6b585a9b82d01effe.pdf?index=true
- https://026559b9-6d98-4c37-a693-9043241f9a21.filesusr.com/ugd/72b0e7_7275cf336bac49bc917122573891ab4c.pdf?index=true
- https://c29ba9c4-f356-4952-b072-a419e1e66160.filesusr.com/ugd/948cea_c6ef1520f37642ca95c87997ed08734d.pdf?index=true
- https://525d74ee-430a-4ebe-8d5a-31bd211c901d.filesusr.com/ugd/3f8d85_2deb4564a32347e9ba2896cc98923c84.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000093d9.bina78fb28e557e76d0a750505336590cdbf68f93803aa03a31d0deb31e1029f131 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93D9 | 5584 bytes |
font_01_sfnt_off0000a6b0.bin8c3a7f4c70d0edc9e28727d09819390dad21eebd3496439fafa6db2aba541da5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA6B0 | 14732 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.