MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a link to a redirector URL, which is a common tactic for distributing malware or leading users to phishing sites. The heuristic firings indicate that the PDF is acting as a link farm, directing users to numerous external PDF files, likely as part of a SEO poisoning or spam campaign. The primary malicious link identified is https://ttraff.ru/wb?keyword=make%20handwriting%20worksheets%20free%20online, which is designed to lure users under the guise of free worksheet creation.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=make%20handwriting%20worksheets%20free%20online
- http://files.fcaky.com/uploads/1/3/1/4/131407698/5205caf.pdf
- http://files.mycorporatecounselor.com/uploads/1/3/1/4/131437983/1606706.pdf
- http://files.region6aha.com/uploads/1/3/1/4/131437834/joxerinumon.pdf
- https://zuxejulo.files.wordpress.com/2020/07/tawimetodasawumumegel.pdf
- https://nexanofikade.files.wordpress.com/2020/07/27170279149.pdf
- https://magapabiv.files.wordpress.com/2020/06/92667861129.pdf
- https://lorujoxomejo.files.wordpress.com/2020/07/13340939588.pdf
- https://dajovofad.files.wordpress.com/2020/06/50312617570.pdf
- https://fojewel.files.wordpress.com/2020/06/5320902563.pdf
- https://semutodu.files.wordpress.com/2020/06/gujatopofoporuwetapazete.pdf
- https://jiledudosiso.files.wordpress.com/2020/07/savaxiximirunatilujulikoj.pdf
- https://zomifedig.files.wordpress.com/2020/06/86913876261.pdf
- https://cdn.shopify.com/s/files/1/0432/3049/4878/files/12258936568.pdf
- https://cdn.shopify.com/s/files/1/0432/7738/5892/files/kiguvi.pdf
- https://cdn.shopify.com/s/files/1/0431/6630/2376/files/40179869085.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/19490865332.pdf
- https://cdn.shopify.com/s/files/1/0427/4490/5884/files/13282303681.pdf
- https://cdn.shopify.com/s/files/1/0428/1712/6563/files/beturewasagisazevamuvu.pdf
- https://cdn.shopify.com/s/files/1/0430/6649/1042/files/likovijejuvupirezu.pdf
- https://cdn.shopify.com/s/files/1/0434/1858/3192/files/jumaluzabatadodufivuwiwin.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73875000904.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://magapabiv.files.wordpress.com/2020/06/9266
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000705b.bin9547573a8f24e440d6c097b5fc0f947de54e3f380a6ec4c5f7a35d2d580fb720 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x705B | 5120 bytes |
font_01_sfnt_off000081d0.bin14ec999d6850f89e725bbdc913eceb269c74f2b9cd6349dce8511f3eda9abc7e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x81D0 | 10044 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.