Malware Insights
The PDF file contains a large number of embedded external links, a technique often used to obscure malicious destinations or to create link farms for SEO poisoning. One of the embedded URLs, 'https://ttraff.link/wix?keyword=uniform+convergence+on+bounded+sets', is flagged as a known malicious redirector. The document body itself is heavily obfuscated and appears to contain metadata from the wkhtmltopdf tool, suggesting it was programmatically generated rather than user-authored content. The primary attack pattern involves luring the user to click on these links, potentially leading to further compromise.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=uniform+convergence+on+bounded+sets
- https://static.usrfiles.com/ugd/b8c837_78f7a6f0881a4487a911c0985caa0178.pdf
- https://static.usrfiles.com/ugd/dd4472_a3a984bdfd7f4cc1b2f73bf0d0c6ce57.pdf
- https://static.usrfiles.com/ugd/78c764_fcbeecb6a7fb4e05b83c694e27b081b8.pdf
- https://static.usrfiles.com/ugd/e02969_022212862b5b451fb30b24d30e0b0fb3.pdf
- https://static.usrfiles.com/ugd/9219f8_46765f254f064744b0f4c09b28de00a3.pdf
- https://static.usrfiles.com/ugd/5b5da7_4b87dcdf137542d4b1d8915a33963d82.pdf
- https://cdn.shopify.com/s/files/1/0435/0397/6614/files/annual_leave_letter_sample_format.pdf
- https://cdn.shopify.com/s/files/1/0427/7207/0556/files/pamole.pdf
- https://cdn.shopify.com/s/files/1/0428/0611/6511/files/factorio_load_balancer.pdf
- https://cdn.shopify.com/s/files/1/0430/4686/3005/files/41393669344.pdf
- https://cdn.shopify.com/s/files/1/0431/2930/7293/files/the_politically_incorrect_guide_to_socialism_review.pdf
- https://static.usrfiles.com/ugd/55cc32_5c4687c9719945e78134e7c9760c9355.pdf
- https://static.usrfiles.com/ugd/e2b09b_6e6deea924404a6696f272e68b35821d.pdf
- https://static.usrfiles.com/ugd/6da380_f8d2703f57c44bc9804c2f277743573e.pdf
- https://static.usrfiles.com/ugd/0aab01_1993ea5a1b524e8abf2a1d090add6fc1.pdf
- https://static.usrfiles.com/ugd/d63aaf_ebb399314295454e87cfc4ae681aeaf8.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000090f3.bin1485145f1c8aad07182e96610e96745a48e1bd6d92abc8fc12b73def90d4b562 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x90F3 | 5288 bytes |
font_01_sfnt_off0000a2ef.binc5e17269d4030e4b7b313498de67a67bcc14f57b008883578908963e9d169040 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA2EF | 10352 bytes |
font_02_sfnt_off0000c670.bin45c5ebb9c38e90c4043dbecbcff12cbed3d2fd8d83c4792c7a9ada9ee62c2f35 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC670 | 16536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.