MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a significant number of embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One of the embedded URLs, 'https://ttraff.link/wix?keyword=castle+miner+z+2020', is identified as a known malicious redirector. The presence of numerous links, including one to a malicious redirector, suggests an attempt to lure users to malicious content or phishing pages. No scripts were extracted, limiting further analysis of the payload.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=castle+miner+z+2020
- http://mikawawid.compassengut.com/uploads/1/3/2/7/132712336/5870094.pdf
- http://files.thomas-lebesmuehlbacher.com/uploads/1/3/1/3/131380871/f66de2f56e.pdf
- https://cdn.shopify.com/s/files/1/0432/2482/6014/files/sarefotiz.pdf
- https://cdn.shopify.com/s/files/1/0428/0582/1599/files/ciaphas_cain_hero_of_the_imperium.pdf
- https://cdn.shopify.com/s/files/1/0438/6465/3984/files/xavozapafomugasovilov.pdf
- https://cdn.shopify.com/s/files/1/0434/6196/8025/files/barewik.pdf
- https://0350db06-0b32-4739-adfa-488bcc8865f9.filesusr.com/ugd/0baf77_3c6bc9d3e0db47ad926df0d55e393896.pdf?index=true
- https://84619560-8351-4a99-9c76-e387bda35641.filesusr.com/ugd/72ed28_b2c8dab6fe5641d38bdc1cc5852689bf.pdf?index=true
- https://4a7bcc25-bc3c-41b2-b078-837d8f6f7b7f.filesusr.com/ugd/cdb50c_ad36eea3b435471d8a6d8bfd041a9907.pdf?index=true
- https://f731542c-c0b7-4d6d-a248-382b2700fcf0.filesusr.com/ugd/f59309_abee4819fff840e5b60a813ace7083eb.pdf?index=true
- https://c55a8e8e-f659-4972-acee-02f43e91aa68.filesusr.com/ugd/0b46e6_31a11b04b5b647299fc54ae7bb2987a3.pdf?index=true
- https://793627a0-0adc-42ea-9a4b-0a822716a726.filesusr.com/ugd/f96b02_a20bbaef66ce437bbed52e835bfca817.pdf?index=true
- https://c6ae09c7-215d-4414-85f4-fffb8f3bdf4c.filesusr.com/ugd/11b39a_5a4f0087a48146e8873790db255ef1c8.pdf?index=true
- https://79ad5211-c31a-4379-8f3b-729e1c63600c.filesusr.com/ugd/70e7d4_40515c05b9cf4578848c7b5ef9666c74.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004e24.binb24dafb299d8738cbe8fdaf38c93959d2b13a80728d0e9eba1a781350c45f587 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4E24 | 5060 bytes |
font_01_sfnt_off00005f3e.bind94672c50bb99659c6f4d3c10f2f4f6a211ebc3f48a27034df79142706f4e848 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F3E | 10028 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.