MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=bible+word+puzzle+apk+mod'. It also exhibits characteristics of a PDF link farm, with numerous links to external PDFs hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains text related to 'bible word puzzle apk mod' and a call-to-action phrase, suggesting a lure to download potentially malicious content.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=bible+word+puzzle+apk+mod
- https://static.usrfiles.com/ugd/b8c837_a15e2bb99a464cf48c44de4e05ca7842.pdf
- https://static.usrfiles.com/ugd/368de4_5749265ca71542ccbac6cafc5366c03e.pdf
- https://static.usrfiles.com/ugd/097bd5_4f8d41059cc24517afdb1585e5218da9.pdf
- https://static.usrfiles.com/ugd/b444d4_4d88016a57074046b74f255c12689185.pdf
- https://static.usrfiles.com/ugd/b8c837_3f497ba781d34cb5a5cacf40d1b91d67.pdf
- https://static.usrfiles.com/ugd/7e0eb0_81fff684ad6b4f9cad1b142364eb68ad.pdf
- https://static.usrfiles.com/ugd/ecd213_7696217840754c358e68d37238d07bee.pdf
- https://static.usrfiles.com/ugd/724bd4_f7441fd3563c4597852a143b0b8dc5aa.pdf
- https://static.usrfiles.com/ugd/bb13a2_e195daabd365459fb04115eb622915ec.pdf
- https://static.usrfiles.com/ugd/40512e_a62810d2436b403b8400a13ee229a01f.pdf
- https://static.usrfiles.com/ugd/67f5f7_c04b7ed8085f4358810a9c7573de0ea4.pdf
- https://cdn.shopify.com/s/files/1/0433/3905/5253/files/timarepo.pdf
- https://cdn.shopify.com/s/files/1/0439/3834/9211/files/insomnia_stephen_king.pdf
- https://cdn.shopify.com/s/files/1/0432/5185/9611/files/96176572366.pdf
- https://cdn.shopify.com/s/files/1/0431/7023/4527/files/belongingness_hypothesis.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000585c.bine05519588bb41d4121a7f587eceea0334094b7a39435df0f1efa6a0301ca54fc |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x585C | 5324 bytes |
font_01_sfnt_off00006a74.bin69aa7327cfcc9752664237ac4583359837cea76badef3ec79aad82123722910e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A74 | 3608 bytes |
font_02_sfnt_off000077de.binef8089be9b6e3c1b4d9a587471dacf1247cc04e804fe428d64c575681424461f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x77DE | 10408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.