MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link to a known malicious redirector, indicating an attempt to lead the user to a harmful site. The document body, though heavily obfuscated, contains URLs that appear to be part of a link farm, suggesting a tactic to improve search engine ranking for malicious content. The primary malicious IOC is the redirector URL, which is likely used to obscure the final destination of the attack.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.com/pify?keyword=lectures+on+tung+s+acupuncture+points+study+pdf
- http://files.gettingtogethernow.com/uploads/1/3/1/4/131437172/suwelidawinu_kutaduvoxu_wefanimi_suxemalibujudam.pdf
- http://files.homesteadfed.com/uploads/1/3/1/1/131164321/cb568fbbf7.pdf
- http://files.gaualauf.com/uploads/1/3/0/7/130775192/gikawigadan_mosaga_kiremujijugu_gunejife.pdf
- http://files.jclandscapingandmasonry.com/uploads/1/3/0/9/130969855/masoxis-gutifavujifese-jakitojosaxo-difitomadebuv.pdf
- https://cdn.shopify.com/s/files/1/0431/1403/7397/files/tuzerudisem.pdf
- https://cdn.shopify.com/s/files/1/0429/7375/7603/files/boron_family_ncert.pdf
- https://cdn.shopify.com/s/files/1/0437/7421/4306/files/stoelting_anesthesia_and_coexisting_disease.pdf
- https://cdn.shopify.com/s/files/1/0438/9139/2664/files/athlean_x_workout_routine.pdf
- https://cdn.shopify.com/s/files/1/0429/3997/3788/files/72622662075.pdf
- https://cdn.shopify.com/s/files/1/0431/1931/3053/files/xurezugexafezos.pdf
- https://cdn.shopify.com/s/files/1/0428/4396/3548/files/revopupatinapigovafunepes.pdf
- https://cdn.shopify.com/s/files/1/0433/2906/1014/files/70802287916.pdf
- https://cdn.shopify.com/s/files/1/0432/8642/9861/files/1515081924.pdf
- https://cdn.shopify.com/s/files/1/0435/3189/4944/files/xewiramumuwifinigadiviket.pdf
- https://cdn.shopify.com/s/files/1/0429/7257/7946/files/barron_s_ap_psychology_flashcards.pdf
- https://cdn.shopify.com/s/files/1/0432/3128/1312/files/10375212171.pdf
- https://cdn.shopify.com/s/files/1/0431/9684/2142/files/55895971263.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005b74.bin3ad5dfd01c47b192a21946202e1dc54c58b4b38c71cab18b091cecdeae4c571c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B74 | 6028 bytes |
font_01_sfnt_off0000702b.bin179466020a9fa223efc954e978976fc2b905bcb5bf01dbf45c043867ed522e9b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x702B | 5332 bytes |
font_02_sfnt_off0000826e.bin50f6934c3d358b8cf1c809554cb9926b08aefec56bfaa5d648fab56f2ac2133d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x826E | 10028 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.