Malicious PDF — malware analysis report

Heuristics 6

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.ru/123?keyword=money+cheat+for+gta+vice+city+android In PDF document text

  • https://rawofaweka.weebly.com/uploads/1/3/0/7/130775842/f1ef46cb07.pdfIn PDF document text
  • https://vimiwegom.weebly.com/uploads/1/3/0/7/130775837/favowovukibole-ligekal-rijidativan.pdfIn PDF document text
  • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/4d5351fbb209c0.pdfIn PDF document text
  • https://bedizegoresupa.weebly.com/uploads/1/3/1/3/131379398/zanazanekoxel.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4365583/normal_5f871adb811b1.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4369317/normal_5f87ebce8fe38.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4366382/normal_5f8901d3b76e4.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/2f594bca-17e6-4559-9e4a-350ba86d7277/62663149433.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/869b213a-4278-4f5e-89ce-606edf99b879/bejifi.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/9c9760ea-5db6-4c5e-8e91-199cb8087948/88389248008.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/0283563e-4efe-4325-b155-cdd6cea65538/rajajorave.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/50a4f910-6d8b-4306-b050-7d681f34164b/xopaxiforilita.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/43e7adfe-b585-4dec-a688-a1640d25af02/mojitetefun.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/bc6c7616-1d25-4689-b323-e76ecfdb3169/gujapudituzedexofupuni.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/cd39189e-505f-44f0-89cf-91c473c1f536/silimuzedopor.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/21685bc3-c674-4be3-9c62-643702a59a52/suwok.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e7c8f2df-f97e-454f-bca1-08101d08ef13/96481525246.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e21fbd61-4765-4670-8a9e-f6a9cc67a0fe/wisufosomuxukuze.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/118f0108-28d1-49d9-a018-5f2dc5f9b1b2/gavebapoful.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/af62f583-929a-4cc9-af0e-d336f4c0dc6c/85388549142.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/24e1083d-ddbf-4011-a636-8fa82d6c2213/mewesadowulewesapufoka.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/fad2f94f-2558-4067-84ee-df0c49657277/52044064847.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e7630b4a-aad4-4a93-a87b-9fb1593879d6/zanozuwij.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.