MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a prominent link disguised as a download button, directing users to a URL containing 'shell apk install'. This strongly suggests a social engineering attack aimed at tricking users into downloading and executing malicious Android applications. The PDF also features a large number of external links, many pointing to suspicious domains, indicating a potential link farm or redirector strategy to obscure the final malicious destination.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=shell+apk+install
- http://zijilokog.emasullivan-bissett.com/uploads/1/3/2/6/132695839/ef1050cecbfed1.pdf
- http://kasoru.mmsoul.com/uploads/1/3/2/6/132680835/padebedoneravu.pdf
- http://files.monarchbooks.org/uploads/1/3/0/8/130814227/e394125b6e7b178.pdf
- https://dc209492-5681-4d5b-8d0d-f5d48b535639.filesusr.com/ugd/314c35_ffd80e9bd087483b89edb1b9c3b4a8df.pdf?index=true
- https://de00ddf8-18cf-4e77-aa3e-0584e3bba0fd.filesusr.com/ugd/69695d_b7d9732612ac4db6a0636858463a1b81.pdf?index=true
- https://0aca8a36-0e85-4eec-8531-213e694b9656.filesusr.com/ugd/221eaa_3f28d59485d04543862272c6f7847ac5.pdf?index=true
- https://6ceab1fd-3cdc-416b-890b-4dedac9e13d1.filesusr.com/ugd/fb5067_804d09aa52b84f8da088f87a4469c60a.pdf?index=true
- https://35f8d101-6675-4034-8071-9f0a3c772829.filesusr.com/ugd/d4a9d6_575e819f27064aebade415035dfee0df.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/6958/7104/files/cirrosis_y_varices_esofagicas.pdf
- https://cdn.shopify.com/s/files/1/0438/1065/2317/files/clash_of_clans_apk_download_for_pc.pdf
- https://cdn.shopify.com/s/files/1/0432/2190/9667/files/nususawadugarat.pdf
- https://cdn.shopify.com/s/files/1/0440/7335/3366/files/bodo_language.pdf
- https://cdn.shopify.com/s/files/1/0448/3910/8770/files/cours_algorithme_gntique.pdf
- https://cdn.shopify.com/s/files/1/0432/9232/8104/files/99656358178.pdf
- https://cdn.shopify.com/s/files/1/0434/0239/5798/files/value_of_playboy_magazines.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b85d.bin95ba9feeb408d95f8369db9382ac392d30d2f02357ed5a0b0664a69bceaa2c4c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB85D | 4980 bytes |
font_01_sfnt_off0000c94b.binad660d268c271ddea4617da031828396cc3fe47025baf9bd61596e1865253174 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC94B | 11060 bytes |
font_02_sfnt_off0000eece.bin3f7f6beb0f5865f83039c8434023d34048916fbab515aea8bfee4d6c7e3f3101 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEECE | 16448 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.