MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=persona+3+yukari+meme'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. While the document body is heavily obfuscated, the presence of these malicious links strongly suggests an attempt to lure the user to a harmful external resource. The file was generated using wkhtmltopdf, which can sometimes be abused for malicious purposes.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/wix?keyword=persona+3+yukari+meme
- https://978ec108-658d-4a3a-9ab1-362ebebef2af.filesusr.com/ugd/b1277d_d18ecb624aca461298faf9ff494b0efc.pdf?index=true
- https://cb296cfb-7d7d-4d90-a645-e53e68bc5149.filesusr.com/ugd/32acb1_b18428d0ba2947ed819c9ba4cf011f69.pdf?index=true
- https://82cba0af-f6ed-4e23-8d69-7c3fcec5a14e.filesusr.com/ugd/c33cdb_31045ff53cf24579832bfbe21d732709.pdf?index=true
- https://cdn.shopify.com/s/files/1/0430/9496/6421/files/jomov.pdf
- https://cdn.shopify.com/s/files/1/0436/8013/7369/files/ley_organica_de_la_administracion_publica_federal_2020.pdf
- https://cdn.shopify.com/s/files/1/0438/2290/7554/files/5191559697.pdf
- https://cdn.shopify.com/s/files/1/0432/0457/5387/files/the_windows_schannel_error_state_is.pdf
- https://cdn.shopify.com/s/files/1/0431/6309/1112/files/92290328222.pdf
- https://cdn.shopify.com/s/files/1/0454/9050/3832/files/arduino_uno_espaol.pdf
- https://46fef582-cd15-4a74-8a6a-1afa35d99311.filesusr.com/ugd/6c313a_f1726f6ec05946c8a0ae66e62900061e.pdf?index=true
- https://649ac4b8-ab15-4479-9486-6bde3b0187c5.filesusr.com/ugd/46bfb0_e276a496c0fe4b678f2e64b4907815f1.pdf?index=true
- https://3aae2079-2c2c-4aff-b35f-689057123d4e.filesusr.com/ugd/ae059d_3d0427207af441ed9aa0883db79f4d71.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011e62.bin3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11E62 | 6440 bytes |
font_01_sfnt_off00012e25.bin0456bc27e9ae07e9806feaec5541165f1b0fe6013d4018145c6781cbae22c8ab |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E25 | 5564 bytes |
font_02_sfnt_off000141c4.bind39ca260249f7fdb934e8c111e42cb48b92a5b4265d4013aba18a2cb6c017921 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x141C4 | 5128 bytes |
font_03_sfnt_off0001532c.bin8921ebf09a282c83d5dad4c56e2314abc1c26726817a4fbb335493e37d7d8619 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1532C | 10916 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.