Malicious PDF — malware analysis report

Heuristics 5

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.com/wix?keyword=classifying+integers+and+rational+numbers+worksheet

  • http://files.vsauci.org/uploads/1/3/2/6/132696483/sebup-gevikevew-fizizopatizi.pdf
  • http://vegigafor.ctcresources.com/uploads/1/3/0/7/130776728/423181.pdf
  • http://files.alniyatbellydance.com/uploads/1/3/0/7/130775865/lajusilute_vawefi_simagasizapijim.pdf
  • http://files.pjgtour.com/uploads/1/3/1/4/131406735/vudagu-wizokuxar-namobewevi-petalij.pdf
  • http://wixitumir.northernlightsprimal.com/uploads/1/3/1/8/131857445/6e0ca0d.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://f4b02bdb-f372-4347-a575-08fb46aaa821.filesusr.com/ugd/565485_37f5ebf157594639b27f85b374608a4a.pdf?index=true
  • https://199755be-c971-45ba-a618-475d1fbf33e1.filesusr.com/ugd/510691_085ae21a022245caaabb797a7f4f2c32.pdf?index=true
  • https://ed7a347f-4c06-4d61-b496-d4b5c5ad46d0.filesusr.com/ugd/d93890_7046688a140149f6bb80e21ce5ee5f80.pdf?index=true
  • https://429065f5-ce57-49b9-ace3-b39dd6cb9990.filesusr.com/ugd/f1780b_0c7a8c1673b341bb902b21b1af5fa9e3.pdf?index=true
  • https://3bd04b4b-1125-4e21-8644-03039bcb5463.filesusr.com/ugd/f6336d_46a7bbd825a948eeae30568084d59115.pdf?index=true
  • https://2363b109-23a4-4829-bbe8-88b3ef6962fc.filesusr.com/ugd/501a20_7010ba3d8c354f49ad5414dccbcd6d02.pdf?index=true
  • https://11cabea4-eba6-4a4f-8bab-e2214f6db4f1.filesusr.com/ugd/0fdb6d_365c1a66f17641c3a387f74e9e847477.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.