Malicious PDF — malware analysis report

Heuristics 4

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://cctraff.ru/strik?keyword=pillars+of+eternity+deadfire+map In PDF document text

  • http://files.purplehornpress.com/uploads/1/3/1/4/131453531/2af3cbbe79f9021.pdfIn PDF document text
  • http://gigimo.d20stitchery.com/uploads/1/3/2/6/132682866/zimamasupoj.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/f83c70cf-87fb-4aa2-8623-1f7a5a8a89fd/76319101304.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/20611a5c-c99c-4328-ae24-8b518002fb96/66270770643.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/41db6336-3ec2-483f-9c1e-0997bd65d720/vovowobamisifikomoxagu.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e624b64f-448f-4501-943b-7c93cf3da920/33953008021.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/4322a288-871b-4e50-b275-92b8305a3603/91718498211.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3735ef4f-e3fa-4941-927a-9d6e61881160/4830945587.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/f4ef284d-d05b-45e1-b4f3-21bf86ead3a0/3773934860.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/558f1c21-771e-43f5-bc1a-5a2d3a7c05de/kuwipamezunixosiga.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/a498619b-f307-446c-a2b9-de872789cfd9/zuxikezip.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.