MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains URL fragments that suggest a lure to external content. The presence of a 'download button' heuristic further supports the idea that the document is designed to trick the user into clicking a link, which then leads to malicious infrastructure. No scripts were extracted, limiting the analysis of direct payload execution.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wix?keyword=jessica+rizzoli+edmonton
- http://files.skysthelimitsanctuary.org/uploads/1/3/2/6/132695216/tewegupisuk.pdf
- http://lunabif.maukabuilders.com/uploads/1/3/2/7/132710703/fe2a571facf7.pdf
- https://e311f88e-92a3-4b73-91bc-b4b789ae6ab0.filesusr.com/ugd/8e7730_c39b60e6c5374f44a99c33155a5d0f36.pdf?index=true
- https://74485fed-2617-4efe-94e1-c446c84a9aba.filesusr.com/ugd/18122d_31070a3e346242dfac093c3caa9578d2.pdf?index=true
- https://ad68af3b-9c21-42af-98b7-db6cd7224c48.filesusr.com/ugd/dfb5f8_e94d7ffdeed94545bfd6bd8b6381362a.pdf?index=true
- https://a4dc3bbc-d984-4db6-877a-c171499922da.filesusr.com/ugd/b148e5_52a4083c58154bceaef8200d82a0fc47.pdf?index=true
- https://5f8c02b0-024f-4999-aabb-56e5325f35c9.filesusr.com/ugd/d43733_b2caa3cc3b2840e7bbbf80513e91bab3.pdf?index=true
- https://f79c594c-eac2-4186-8492-fae013a4db4b.filesusr.com/ugd/78daac_b28bece317a547cc8e273602c5c252f4.pdf?index=true
- https://9922c089-ceac-4fa1-a32c-105d29d140cc.filesusr.com/ugd/dcf9ad_02b99cc910254a08b70f02757f093c48.pdf?index=true
- https://c47a3bde-6c14-4fd0-a7b5-8612e93f81ed.filesusr.com/ugd/5ea691_119c6d3ec22f41408b652ec57b8d62ac.pdf?index=true
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31240515614.pdf
- https://cdn.shopify.com/s/files/1/0437/8905/8209/files/9988205421.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f59.binfa033bf8804f55e328f74c9322ba3600e0f61db35f2b0922452877d8a3380ac1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F59 | 4912 bytes |
font_01_sfnt_off00005fe9.bin4cd5fa9928034493546fc554f07fef8250c8fa27e6a9ab4738ed8678c8717070 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5FE9 | 10088 bytes |
font_02_sfnt_off0000825d.bin7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x825D | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.