Malicious PDF — malware analysis report

Heuristics 5

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.link/wix?keyword=shafer+bus+schedule+endicott+ny

  • http://files.kalamazooneurofeedback.com/uploads/1/3/0/7/130776499/fojasawog.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://www.daltonmaag.com/
  • https://95e46872-09e0-4a7b-b427-7679ce99fbc4.filesusr.com/ugd/0d018b_cb5e60d6000b4c0e8a9c6f15a35ed3e4.pdf?index=true
  • https://cdc04b0a-e5aa-4c14-a4a1-139f82efee9f.filesusr.com/ugd/76de1a_313c3b9368a24d8fb48ed7099fd600de.pdf?index=true
  • https://c26f8a57-6ec8-4607-a79d-3642e3ed3e68.filesusr.com/ugd/b27199_02a646926379476cace9a7985ff23d4e.pdf?index=true
  • https://c30a74ec-1a4d-4a1d-99a4-672c67559dcf.filesusr.com/ugd/7e0eb0_b7435634154c4071b246ca175e59df4e.pdf?index=true
  • https://c09db502-76bc-473d-89dc-009c7a45c3a1.filesusr.com/ugd/f08e01_00502e60e78949c68f061a52a6eec4be.pdf?index=true
  • https://74e63c59-64c7-4af0-a2eb-c60c6e5d3935.filesusr.com/ugd/8db125_069d68a3108345aaa7134356b9557220.pdf?index=true
  • https://0de33dc8-1ae5-4bbf-a096-1e979bd6bd81.filesusr.com/ugd/23b571_1a5b9c5ed3834b8792f7d47850700497.pdf?index=true
  • https://4ae5a20e-6764-4ec4-8b01-9c7529a94cc3.filesusr.com/ugd/80bfa9_4245df53cec44fad86b53369f6b08c02.pdf?index=true
  • https://e833b0fd-f9e6-48b7-948a-d85a654b4a36.filesusr.com/ugd/911c12_7bbfba1556df4657b67419f2e89bb542.pdf?index=true
  • https://a5aab223-06d3-4fe6-8b73-14fe1f70821c.filesusr.com/ugd/8e7730_7930814364ec4aa5a03775ff180d4ebf.pdf?index=true
  • https://bb9dda0e-3a01-4d92-8a31-44215b518c21.filesusr.com/ugd/003b86_daf1bc7fc6a748aa9f41cfc7dda0278f.pdf?index=true
  • https://4083bad9-e2cd-40d9-9a9f-8a3e78bb40a0.filesusr.com/ugd/d1c05f_3f5e4bbe917d47cdb18583fd87395676.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.