Malicious PDF — malware analysis report

Heuristics 4

• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://trafffi.ru/123?keyword=youtube+cnn+10+february+5+2020 PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4370299/normal_5f890bc21f366.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4421768/normal_5f9bba5cdc2f3.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4404287/normal_5fa0ed1312822.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/bc638377-e14f-4dcd-afd2-548e88acfab2/tozovexawijexutufo.pdfIn PDF document text
  • https://s3.amazonaws.com/mukut/91721915193.pdfIn PDF document text
  • https://s3.amazonaws.com/wokesabisevo/50877951432.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/ab0b01d7-baec-45dc-be5f-013a0cd09a4e/sewidirojawezexizazopuli.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3c59a4df-a82d-434f-8141-1cdec33123b3/vipubik.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3a1bfb7f-88f7-4cfe-bf56-2727b909dd57/cuales_son_las_profecias_de_nostrada.pdfIn PDF document text
  • https://s3.amazonaws.com/wutezigojuxi/adobe_animate_cc_tutorial_download.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/165681e3-c1a5-4999-8d37-efe14c91342d/69712442914.pdfIn PDF document text
  • https://s3.amazonaws.com/tosasugokod/candy_that_starts_with_the_letter_t.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/d27a2b8c-1b77-4995-bcce-3a453da87cfd/42547296175.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/bf3c4750-4857-4ba7-8baf-81e0c37b8d63/63497944608.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.