MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded links, many of which point to external resources, a technique often used to obscure malicious destinations. One critical heuristic firing indicates a direct link to a known malicious redirector. The document body, though partially corrupted, contains the URL 'https://ttraff.cc/wb?keyword=cortar%20un%20archivo%20pdf%20online', which is also flagged as a malicious redirector. This suggests the primary purpose is to redirect the user to a malicious site, likely for phishing or malware distribution.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wb?keyword=cortar%20un%20archivo%20pdf%20online
- http://tisiruz.junglelakelabradorlodge.com/uploads/1/3/1/4/131406082/1d3ed044f9d46.pdf
- http://files.lucysartistcottage.com/uploads/1/3/0/7/130775728/953234.pdf
- http://begepe.cpasgc.com/uploads/1/3/0/7/130776485/jobijoka-wuwepak-warar.pdf
- http://files.essenceofbeautydublin.com/uploads/1/3/1/6/131637057/9362341.pdf
- http://files.serenarilab.com/uploads/1/3/0/7/130775980/minasazedode-xoruworigitapom-zavovuzapasuvu.pdf
- https://cdn.shopify.com/s/files/1/0430/6593/3973/files/31669577477.pdf
- https://cdn.shopify.com/s/files/1/0452/3737/1037/files/aghori_mantra_book.pdf
- https://cdn.shopify.com/s/files/1/0428/3708/2271/files/6193866554.pdf
- https://cdn.shopify.com/s/files/1/0430/1606/1091/files/delewopiribalifawowuri.pdf
- https://cdn.shopify.com/s/files/1/0432/9019/8180/files/what_are_cracked_minecraft_servers.pdf
- https://cdn.shopify.com/s/files/1/0436/9845/4682/files/fowatuzinilifitomu.pdf
- https://cdn.shopify.com/s/files/1/0430/4856/6941/files/xavonux.pdf
- https://cdn.shopify.com/s/files/1/0431/3301/0081/files/retok.pdf
- https://cdn.shopify.com/s/files/1/0431/1724/8672/files/gewokozisegejaz.pdf
- https://cdn.shopify.com/s/files/1/0436/0775/2861/files/btec_level_2_applied_science_book.pdf
- https://cdn.shopify.com/s/files/1/0439/5306/2046/files/classroom_language_for_teachers.pdf
- https://cdn.shopify.com/s/files/1/0446/4944/7587/files/bcd_to_gray_code_converter.pdf
- https://cdn.shopify.com/s/files/1/0437/2371/8805/files/beauty_for_brokenness.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/botolewapaniwid.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005779.bin4bb3e0984ad04ad5d59c368be0fd915948d3b18b6dc6db0dacde0a9ee8e845a6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5779 | 5032 bytes |
font_01_sfnt_off00006892.binacce6be2547ec3ff1586e2863de5d3b852766e5289484ef2b3242188c6a3a523 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6892 | 11536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.