MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 Malicious Link
T1059.001 PowerShell
The PDF contains a significant number of embedded links, many of which point to external PDF files hosted on various domains, indicating a link farm. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.link/wix?keyword=apk+ios+2020'. The document body also contains this URL and other PDF links, suggesting a coordinated effort to direct users to potentially malicious content. The presence of a 'download button' heuristic further supports the lure-based attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=apk+ios+2020
- http://jigofi.manticarchitecture.com/uploads/1/3/0/7/130739227/jenafade.pdf
- http://kozanibox.thebedrockinitiative.org/uploads/1/3/1/8/131860553/9640705.pdf
- http://files.kayakanglersofmissouri.com/uploads/1/3/0/8/130814718/1557884.pdf
- http://files.bellinghaminspector.com/uploads/1/3/1/6/131637953/9570836.pdf
- http://files.mysweatshops.com/uploads/1/3/1/6/131637814/tuvebipuwutiji.pdf
- http://lasirifi.ouritalyadventure.net/uploads/1/3/0/7/130739732/gejorusipovomarap.pdf
- http://fopom.bridgeportcf.org/uploads/1/3/1/8/131871787/1802088.pdf
- https://cdn.shopify.com/s/files/1/0427/8996/1884/files/xizuku.pdf
- https://cdn.shopify.com/s/files/1/0433/0147/0366/files/ladizovigofaga.pdf
- https://cdn.shopify.com/s/files/1/0435/4798/4026/files/acids_and_bases_study_guide_chapter_18.pdf
- https://511fad45-4fc7-48b9-92e2-0b20dcfaa6d9.filesusr.com/ugd/4ae4db_6bfe61c9364a4055b6f3df690c6a322c.pdf?index=true
- https://83b6c9f5-b799-4b97-a804-bbd367c7065f.filesusr.com/ugd/7e84b7_ad9735d690f34da887d487c950891ec2.pdf?index=true
- https://da3f42f4-af1d-4507-b0b0-833a5e6bbf45.filesusr.com/ugd/b13fd1_9ec390ecd1bb4641a2b04b3eba0ba0dd.pdf?index=true
- https://36f3c732-ab51-487e-9059-850b3582bb3a.filesusr.com/ugd/1d64af_e3feeb05954640a7b44c4f3c1082d2ef.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000a73f.bin9064ed773280e69505ebe8e74b7ce310c20bd6cce27b3f443f7077701c6586e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA73F | 4800 bytes |
font_01_sfnt_off0000b7b5.bin02028e5d5f03cc8fe36ee1cbdfc89316ae28a664da99decc88b08c9e9b16bb81 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB7B5 | 10564 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.