MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1566.001 Spearphishing Attachment
T1204.002 User Execution: Malicious File
The PDF contains a malicious redirector link disguised as a search result for a specific PDF, aiming to lead the user to malicious infrastructure. Additionally, the document employs a callback phishing lure, prompting users to contact a number for billing or security issues. The presence of numerous external PDF links suggests a link farm strategy to improve search engine ranking for malicious content. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=enter+the+gungeon+ammonomicon+pdf
- http://files.echoescollective.com/uploads/1/3/1/4/131437531/9732582.pdf
- http://files.turningleaftherapyservices.com/uploads/1/3/0/7/130739457/92c2f.pdf
- http://files.mduvallportfolio.com/uploads/1/3/2/6/132681415/6612445.pdf
- http://files.maramann.com/uploads/1/3/1/3/131380730/gumifelirafirirulav.pdf
- https://cdn.shopify.com/s/files/1/0441/3584/1944/files/64488109149.pdf
- https://cdn.shopify.com/s/files/1/0429/9423/7593/files/29918421177.pdf
- https://cdn.shopify.com/s/files/1/0431/4690/3709/files/55190427483.pdf
- https://cdn.shopify.com/s/files/1/0432/7515/7670/files/damixiduleritim.pdf
- https://cdn.shopify.com/s/files/1/0435/4582/1338/files/pukunofumapavudikojor.pdf
- https://cdn.shopify.com/s/files/1/0434/7052/0470/files/biremapolaxuwowidiganik.pdf
- https://cdn.shopify.com/s/files/1/0428/6929/3223/files/76402742493.pdf
- https://cdn.shopify.com/s/files/1/0432/8282/5376/files/88307115638.pdf
- https://cdn.shopify.com/s/files/1/0431/9461/3924/files/sogitibinajateto.pdf
- https://cdn.shopify.com/s/files/1/0430/6790/0061/files/66388379617.pdf
- https://cdn.shopify.com/s/files/1/0428/1381/6995/files/7505959924.pdf
- https://cdn.shopify.com/s/files/1/0434/6196/8025/files/30395724150.pdf
- https://cdn.shopify.com/s/files/1/0431/7331/4715/files/6318970842.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fb9e.bin8f1b23bb2c9b807a0cd1e357ba49a4bfa3f9da89b3aa3ffbc5383ab6108b7eb1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB9E | 5200 bytes |
font_01_sfnt_off00010d1d.bin0acccade196bc768df32598c8c684705ca91a4240a5fcd68c546a468ebca58ba |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10D1D | 11728 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.