MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of external links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the same URL as the malicious redirector, suggesting an attempt to lure the user to a malicious site. The presence of multiple PDF links, many hosted on static.usrfiles.com, indicates a potential link farm or SEO poisoning tactic to distribute malicious content.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=pursue+%252F+all+i+need+is+you+-+hillsong+worship+chords
- https://static.usrfiles.com/ugd/b8c837_aa573429fb52486d9ceffad07794d9fb.pdf
- https://static.usrfiles.com/ugd/b8c837_a86cc98d60f048a99d863c5b6d6b8d42.pdf
- https://static.usrfiles.com/ugd/b8c837_1424bd56622a4d56a1e2ca8feeba0a69.pdf
- https://static.usrfiles.com/ugd/b8c837_c1920bac43bc4cbc9166c3adc1abea13.pdf
- https://static.usrfiles.com/ugd/b8c837_d224297b83204df286bf3ea34a045d72.pdf
- https://cdn.shopify.com/s/files/1/0429/7441/2949/files/introduction_to_statistical_quality_control.pdf
- https://cdn.shopify.com/s/files/1/0437/0975/9641/files/accelerated_learning_techniques_brian_tracy_free.pdf
- https://cdn.shopify.com/s/files/1/0430/6878/4791/files/musoronur.pdf
- https://cdn.shopify.com/s/files/1/0431/9081/2821/files/sixajaka.pdf
- https://cdn.shopify.com/s/files/1/0461/7548/6115/files/37001678783.pdf
- https://cdn.shopify.com/s/files/1/0431/2452/3170/files/vista_128bpt_programming_manual.pdf
- https://cdn.shopify.com/s/files/1/0460/2514/6527/files/vunagis.pdf
- https://cdn.shopify.com/s/files/1/0463/3614/7612/files/gw2_legendary_armor_guide.pdf
- https://static.usrfiles.com/ugd/b8c837_b24f09a0afc94eb8a3a36743a3374409.pdf
- https://static.usrfiles.com/ugd/b8c837_68deb2993345474ea8b91d98a72facf5.pdf
- https://static.usrfiles.com/ugd/b8c837_0ef0b7b5cfa94282a8fa342ea28f6974.pdf
- https://static.usrfiles.com/ugd/b8c837_9f0bf7f317ba4715b95a6a4860e06e8d.pdf
- https://static.usrfiles.com/ugd/b8c837_beaf0f4ae0944100b8047c300d0beb16.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005fac.binae564136d060de298e34284eb3c68c480e7cd8bae328fc46b8845fb9980f3886 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5FAC | 5596 bytes |
font_01_sfnt_off000072d1.bin4b3ec6833878ede12a7321bec5ab11cd85fe887cc0b381d02e1020d2a79cc1cc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72D1 | 14256 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.