MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded links, with one specifically identified as a malicious redirector. This redirector points to a URL that appears to be a lure for downloading a PDF, likely to deliver a malicious payload. The document body, though heavily obfuscated, contains the same lure URL. The presence of a malicious redirector and a link farm suggests a phishing or malware distribution attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=coraline+neil+gaiman+pdf+download+free
- https://c39abe2a-084b-4470-ad01-a9f8045d1eae.filesusr.com/ugd/1acd69_39685082bf5b4b4e84de588565f62af5.pdf?index=true
- https://b6f10573-ee4f-4d92-ab54-a015a207fd4f.filesusr.com/ugd/078c79_f2150282b0084bf39ed871a8807e2a55.pdf?index=true
- https://56f9a571-4de0-49b5-9ec5-4faf1d764ef8.filesusr.com/ugd/a838c0_ec6495f9088a46d9a864fc9f149f8fa9.pdf?index=true
- https://fc42994b-c010-497a-a187-c237fe45993b.filesusr.com/ugd/8e7730_cd452a354b8342babf776e1e7789281c.pdf?index=true
- https://13b851c4-fc25-4def-8025-6a2173df65e4.filesusr.com/ugd/d3758e_6a5bb7e3ab5446f89d7824aa09fdd352.pdf?index=true
- https://74142736-c032-4482-a19f-8e03c09a4d72.filesusr.com/ugd/cf9ff1_d1b56e7cc0db41908fd339da42b8cffa.pdf?index=true
- https://c45570cb-a089-4e4a-b9e4-9fd3785eed8b.filesusr.com/ugd/594ae5_107e8c16a8c0410a9b4022309ff484fb.pdf?index=true
- https://76008273-a32f-4391-9544-a2762db07a60.filesusr.com/ugd/805d2a_c9ec0390a40545f3a143633e8eb63a7c.pdf?index=true
- https://cdn.shopify.com/s/files/1/0432/0310/0832/files/45860689596.pdf
- https://cdn.shopify.com/s/files/1/0428/3046/3135/files/polejedofirukuromixenod.pdf
- https://cdn.shopify.com/s/files/1/0432/1096/5147/files/6395846813.pdf
- https://cdn.shopify.com/s/files/1/0435/8150/5695/files/decameron_di_boccaccio.pdf
- https://cdn.shopify.com/s/files/1/0436/5457/8334/files/newatogutefawutabuxefazok.pdf
- https://cdn.shopify.com/s/files/1/0437/3915/2535/files/gods_of_rome_guide.pdf
- https://cdn.shopify.com/s/files/1/0430/7573/1616/files/zosegiwutigavafuxu.pdf
- https://pdfreadonline17.blogspot.com/?book-0380
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006a51.bin4e8ebcada89b1fa8281a3850c72e776c28bbe02c6ded5ead35ba4721ce1b7fb3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6A51 | 5180 bytes |
font_01_sfnt_off00007bea.binc99a054c273947187c6861b26ff5d806cbceaaf519881bc1eaeb1aea6df7ff9a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7BEA | 10552 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.