MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains embedded JavaScript and numerous external links, many of which point to a link farm designed for SEO manipulation. One critical heuristic identified a link to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL that triggers the redirector, suggesting the primary intent is to lead the user to malicious content via a deceptive academic lure.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=expectancy-value+theory+of+achievement+motivation
- http://golumiri.nathaliesalas.com/uploads/1/3/2/6/132682735/f23c9aa788b0b4.pdf
- http://files.tjeducationalleader.com/uploads/1/3/2/6/132682441/3175757.pdf
- http://surox.apsexplore.com/uploads/1/3/1/3/131378950/6adaeca20.pdf
- http://files.deltayouthsoccerassociation.com/uploads/1/3/1/8/131871859/jivigarokidoza_gavowefajutov_mekojus.pdf
- http://files.jeromebibleartmuseum.com/uploads/1/3/0/7/130775905/10e2ebebc.pdf
- https://295e7745-80fb-4c3e-b7c6-cacde05f2f9e.filesusr.com/ugd/f96b02_60f0b7bd87754536a33eca61332af024.pdf?index=true
- https://5e6d7e0d-6357-47ab-8f89-d64b8de7dbb4.filesusr.com/ugd/c638b7_c3e7109d5c7342d0a7eb9dd0fd85a6cb.pdf?index=true
- https://61dba9e4-b80e-4f35-9cda-6c10f39bf78d.filesusr.com/ugd/24853a_900800fedbde4f7c866089cc0d851d06.pdf?index=true
- https://eb1e5ad2-6b15-4983-b217-29453c23dc86.filesusr.com/ugd/f08e01_f714b0e0559349d396111c8f86ecb8e2.pdf?index=true
- https://a3e9acfd-92f7-4903-8f7f-83fd67edf6dd.filesusr.com/ugd/98857b_ad21ca99ed064ec1b11fe4717ea2298c.pdf?index=true
- https://cdn.shopify.com/s/files/1/0427/6515/6508/files/27158501227.pdf
- https://cdn.shopify.com/s/files/1/0431/0971/2021/files/logo_quiz_world_answers_level_20.pdf
- https://38b1d927-890c-4c61-9d15-7a7e526e978b.filesusr.com/ugd/2b3f46_11515b8659b2436ea01ccf2e9ba606a2.pdf?index=true
- https://3b319aa7-5462-4eaa-ade2-80121b4a4c05.filesusr.com/ugd/dad7b5_c0bc42bb07b44f9c8f82c49e0f385942.pdf?index=true
- https://c9b73f2f-4d75-42ae-91f2-7a5ca61ad871.filesusr.com/ugd/fbccce_0e02be5fb81247cfba26c431228910cb.pdf?index=true
- https://0b183c51-08e4-4a67-bff9-e208926239de.filesusr.com/ugd/529dbf_3bea5f24bf244f4bacc2bd9e2f249f8b.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007b1c.binfcc65808a3e4b227c987391c033bf09c04f928335d78defabde084668eb709f4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B1C | 5296 bytes |
font_01_sfnt_off00008d14.bin1109da87c5bade2e28a2e4df40e117b2f48c8394ac413dde7f1890ae880e6639 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D14 | 10464 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.