MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The presence of a 'download button' lure and a large number of embedded links suggests a phishing or scam attempt. The primary IOC is the malicious redirector URL.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=bill+nye+electricity+video+guide
- https://92563ff3-e7a0-49f5-92b0-b2b7d8a12f4d.filesusr.com/ugd/912de2_5dc38e63bf43408e97e9d9f0a7d1cd81.pdf?index=true
- https://66024dc2-abde-42f9-ad0e-b3456db7006a.filesusr.com/ugd/bc79a4_2c6ee41ff6994cf184d5b540c7efa1f9.pdf?index=true
- https://6bf9273e-fec8-4a8b-9ed1-3dae04385ece.filesusr.com/ugd/18122d_e1048d2e45f84f68806347479d93ab8f.pdf?index=true
- https://8d5fb729-f0fc-4236-bfd9-29ae2343c087.filesusr.com/ugd/f91cf1_96e220acdd47422fb9f783310ca50767.pdf?index=true
- https://cdn.shopify.com/s/files/1/0435/3094/4671/files/w_9_for_non_profit.pdf
- https://cdn.shopify.com/s/files/1/0435/9297/4499/files/centos_7_terminal_commands.pdf
- https://cdn.shopify.com/s/files/1/0433/8312/8214/files/catchment_area_hydrology.pdf
- https://cdn.shopify.com/s/files/1/0432/4828/7912/files/16801498813.pdf
- https://cdn.shopify.com/s/files/1/0431/7000/5156/files/boy_scout_uniform_buy_online.pdf
- https://d7920947-a8b0-46b7-992b-787664918d11.filesusr.com/ugd/e2c223_cc9efc7d2fdc4a41b63eb7a68495dce8.pdf?index=true
- https://e487579d-e5b9-4f33-b5d4-56c416722661.filesusr.com/ugd/39cb9d_c51ccaf8a1fc4155b0da4d47cd345fc3.pdf?index=true
- https://bea36fca-46f8-472f-b18f-a0512efc2dec.filesusr.com/ugd/2994dd_de515d80c62340bc9c166b180236db55.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000b08c.bin85b692c1c636aed9ab1240d2a7361179fdd6c0849396a06064984f922e967b4f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB08C | 2828 bytes |
font_01_sfnt_off0000ba86.binb036ef8f0ae1194eef6bad392bd9d63c080d5dbe60a515ddffa62300b2cb70b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBA86 | 4812 bytes |
font_02_sfnt_off0000caf1.bind595cdd16a7e567d1fe929afdc84bfc700121aab2b5841f1e0b7aa8ab3a145c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCAF1 | 10132 bytes |
font_03_sfnt_off0000ed98.bincd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xED98 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.