MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains numerous links to external resources, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the redirector heuristic. The presence of a "download button" lure further suggests a malicious intent to trick the user into navigating these links. The primary attack pattern involves directing users to potentially harmful websites.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=open%20wide%20book%20pdf
- http://files.bhwhemptherapy.com/uploads/1/3/0/9/130969278/2eeb997ba.pdf
- http://files.capetowndaytours.net/uploads/1/3/0/8/130874629/bugob-bowon-jozopo-vudux.pdf
- http://files.episcopalmissioncenter.org/uploads/1/3/0/9/130969498/1ed0782251a23eb.pdf
- http://files.laviishluxxe.com/uploads/1/3/0/7/130775942/1a41a3f.pdf
- http://files.claytonsconstruction.com/uploads/1/3/1/6/131607889/xosizibaj.pdf
- http://files.myfutra.com/uploads/1/3/1/3/131384018/netax.pdf
- http://files.musingaboutwriting.com/uploads/1/3/0/9/130969498/zilijep-moxanokex-xopetiwute.pdf
- http://files.thelambranch.com/uploads/1/3/0/7/130775368/sosozov.pdf
- http://files.petoskeycenteriop.com/uploads/1/3/2/3/132302848/5228514.pdf
- https://mojokego.files.wordpress.com/2020/06/21125039471.pdf
- https://gubobag.files.wordpress.com/2020/06/fusarajezeb.pdf
- https://fakemoj.files.wordpress.com/2020/06/jakevuwenodutusegaxi.pdf
- https://vaxunijigi.files.wordpress.com/2020/07/38729831352.pdf
- https://pesiloratepo.files.wordpress.com/2020/07/10643266887.pdf
- https://movupasu.files.wordpress.com/2020/06/46782034706.pdf
- https://zosexev.files.wordpress.com/2020/07/17844262503.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/50398535586.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/ziwodukujaluladiludu.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/32829552166.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/41448402009.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/3789128943.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006fb8.bindc7bfd6cdd3723ff7dbb127a5d9768191ddcb971bf48e74b8d8445a74a3d9d5f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6FB8 | 4548 bytes |
font_01_sfnt_off00007f44.bin40406332305b2d7be9d965fa8439cccf5d85241075007639bdc9533e4b5e9c4f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F44 | 9964 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.