Malware Insights
The PDF file contains a large number of embedded links, many of which point to a redirector service. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that one of the primary URLs leads to known malicious infrastructure. The 'PDF_SEO_LINK_FARM' heuristic further suggests that the document is designed to host a large number of external links, likely for SEO manipulation or to distribute malicious content. The document body is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, further supporting the link-based attack vector.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=introduction+to+seismic+interpretation+hart+pdf
- http://files.halfmoonyogaandart.com/uploads/1/3/2/6/132695517/8318793.pdf
- http://files.paoniacherrydays.com/uploads/1/3/1/4/131438667/dcdaf9782a9a9.pdf
- http://files.benstillsings.com/uploads/1/3/2/3/132303147/a2a5f3fc1.pdf
- https://cdn.shopify.com/s/files/1/0431/7826/2692/files/39225339280.pdf
- https://cdn.shopify.com/s/files/1/0427/8393/2582/files/danuxudigedoz.pdf
- https://cdn.shopify.com/s/files/1/0439/2304/6568/files/63200258225.pdf
- https://cdn.shopify.com/s/files/1/0439/3644/8667/files/lageviri.pdf
- https://cdn.shopify.com/s/files/1/0432/9403/2025/files/xuvenomikanijivaxijunofa.pdf
- https://cdn.shopify.com/s/files/1/0428/7492/9319/files/39169314413.pdf
- https://cdn.shopify.com/s/files/1/0433/6245/1611/files/2997225295.pdf
- https://cdn.shopify.com/s/files/1/0435/1010/4228/files/bizasezifolisipafibosoku.pdf
- https://cdn.shopify.com/s/files/1/0432/7086/5052/files/topegevinujegon.pdf
- https://cdn.shopify.com/s/files/1/0434/9493/2640/files/fujokivulitupuja.pdf
- https://cdn.shopify.com/s/files/1/0428/8148/2919/files/kujumusufezukatiwoz.pdf
- https://cdn.shopify.com/s/files/1/0431/8691/3431/files/monazodugegiloruve.pdf
- https://cdn.shopify.com/s/files/1/0429/8289/9871/files/kejep.pdf
- https://cdn.shopify.com/s/files/1/0435/9634/9602/files/72949943315.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000df51.bin7ca4980251af0bdd62613550ec9d13418e15ece144a356e90a859ca99677fe68 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDF51 | 5184 bytes |
font_01_sfnt_off0000f0bc.binf85105ccbbb58103c71f2c3b4f910067b93eef7c2b8886d846e9630d751af279 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF0BC | 15792 bytes |
font_02_sfnt_off000121bc.binba04679cbc7368f9890885b57c2b0d1aeb6d4f863cf9ecec45405187c742a2cd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x121BC | 16116 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.