Malicious PDF — malware analysis report

Heuristics 7

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• MFA / one-time-code harvesting lure high SE_MFA_LURE
  Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
• Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
  Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
• Fake invoice / payment lure low SE_INVOICE_LURE
  Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.com/pify?keyword=bjhm+consent+form

  • http://files.shipshapetipsboatbulidingandrepairs.com/uploads/1/3/0/7/130740521/mejutus.pdf
  • http://mabamuta.fanfaresandreveries.com/uploads/1/3/1/4/131438379/xefanizowapigar_ziweragikidesap_sugad_muwovim.pdf
  • http://zosav.meritfinance.net/uploads/1/3/0/9/130969204/6808d.pdf
  • http://files.myregionals.com/uploads/1/3/2/3/132302998/zogaxukejakoma.pdf
  • https://cdn.shopify.com/s/files/1/0431/6299/2795/files/gopezeko.pdf
  • https://cdn.shopify.com/s/files/1/0438/9876/5480/files/pdf_to_word_converter_program_free.pdf
  • https://cdn.shopify.com/s/files/1/0430/5652/9557/files/pubebubevikirato.pdf
  • https://cdn.shopify.com/s/files/1/0427/8140/9436/files/86394105132.pdf
  • https://cdn.shopify.com/s/files/1/0438/1740/2530/files/213_the_hard_way.pdf
  • https://cdn.shopify.com/s/files/1/0433/0664/7707/files/addition_and_subtraction_worksheets_grade_4.pdf
  • https://cdn.shopify.com/s/files/1/0433/0032/3478/files/37773384982.pdf
  • https://cdn.shopify.com/s/files/1/0434/6249/2324/files/seboxiredoto.pdf
  • https://cdn.shopify.com/s/files/1/0431/4886/9789/files/xotuj.pdf
  • https://cdn.shopify.com/s/files/1/0430/4375/0049/files/android_storage_emulated_0_location.pdf
  • https://cdn.shopify.com/s/files/1/0428/4848/5535/files/88995100628.pdf
  • https://cdn.shopify.com/s/files/1/0430/1278/4277/files/85182127997.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/

Open this report in the interactive analyzer, or submit your own file for analysis.