MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1200 Hardware Add-in
T1059.001 PowerShell
The PDF file contains numerous embedded links, forming a link farm designed to direct users to external sites. One critical heuristic identified a link to a known malicious redirector at `https://ttraff.club/wix?keyword=will+slimes+spawn+in+light`. Another heuristic flagged the PDF as a link farm, with many links pointing to PDF files hosted on various domains, such as `http://vugiju.248mpr.com/uploads/1/3/2/6/132695478/tenusupinof.pdf`. The document body, though heavily obfuscated, contains the same URL as the redirector, suggesting a lure to a malicious site.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.club/wix?keyword=will+slimes+spawn+in+light
- http://vugiju.248mpr.com/uploads/1/3/2/6/132695478/tenusupinof.pdf
- http://files.aminzargar.com/uploads/1/3/1/3/131398131/jejijewagofepegefe.pdf
- http://files.behrendsfeed.net/uploads/1/3/1/4/131438240/gopizorixonuk.pdf
- http://files.brineandbroth.com/uploads/1/3/1/4/131407061/651213.pdf
- http://files.mustardfitness.com/uploads/1/3/1/3/131383763/nategexo_jidonamonewi.pdf
- https://cdn.shopify.com/s/files/1/0429/4914/8828/files/53154713602.pdf
- https://0b67010b-b8c8-44bb-be2e-a265db632184.filesusr.com/ugd/f59309_45f9b0bd835e4a249f8dc6360c976a00.pdf?index=true
- https://11cbd126-188e-4e08-a01e-f4867c3bed09.filesusr.com/ugd/008e52_e9c6c8b56cce496c9d8492bc015bbd75.pdf?index=true
- https://0e6cc53f-7017-458d-9a04-994b0ad1a5f1.filesusr.com/ugd/9d869b_013cefed8fb54fdb89ea283fb265da2d.pdf?index=true
- https://93a39739-c64b-48b4-a067-092a52efbafb.filesusr.com/ugd/8ebb60_27124c5643f14fdfb764be3a8ae8b4f9.pdf?index=true
- https://4b48d582-fe74-464f-b53b-aed3023fa06c.filesusr.com/ugd/8e6e76_9b176b9ce6e44bcb8925d9f1e5271944.pdf?index=true
- https://92583780-85fb-46d8-8de8-d9c6fde82a46.filesusr.com/ugd/fbccce_ee763e59c4034fab9a04bc26ef543964.pdf?index=true
- https://e49e859a-76c4-4250-afc6-aa85e1b2af00.filesusr.com/ugd/3ed902_3f168afec2fc4145a5cc7dacd96441b2.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000062c7.bine1dea448303cf9732ec94d425035589b625063aa4ced8eb62592fd6baac41102 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x62C7 | 4920 bytes |
font_01_sfnt_off0000735b.bin0d571de804ec5b8e9bfd95551a15e95687d00052ad310e2e261aa3268140514f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x735B | 10440 bytes |
font_02_sfnt_off00009705.binb50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9705 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.