MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious link, 'https://ttraff.link/wix?keyword=wilson+reading+system+lesson+plan+pdf', is flagged as malicious. The document body, though heavily obfuscated, contains references to the same malicious URL and other benign-looking PDF links, suggesting a lure to a malicious site. The heuristic firings confirm the presence of malicious redirector links and a link farm, indicating a likely phishing or malware distribution attempt.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=wilson+reading+system+lesson+plan+pdf
- http://waputelu.beamwellness.org/uploads/1/3/1/6/131636746/9fd072094bff122.pdf
- http://files.heartlandjungians.org/uploads/1/3/0/7/130776841/ziniruper.pdf
- http://files.natashabentley.co.uk/uploads/1/3/0/7/130776514/lusew_wupux.pdf
- http://togeno.eriwonders.com/uploads/1/3/2/6/132695302/sebazipaperuzi-nifas-guxupebu-neribaxasus.pdf
- https://85cc8e47-072f-423c-9ec0-246b017b4f6a.filesusr.com/ugd/c57cae_4ca2c76777574c35b4ca4948c7e5dfe8.pdf?index=true
- https://b56070b9-ea78-4fc3-836a-a4f66daddd44.filesusr.com/ugd/2274a7_7bc92c70637c45bdba6a05277f15c855.pdf?index=true
- https://4217dfc6-c2b1-4585-a26c-6d4660fb591a.filesusr.com/ugd/de3d83_bf40d178a7c94102b24c6b1a56903ac1.pdf?index=true
- https://7da82b05-a30b-4a0e-b339-e99b411dcd8a.filesusr.com/ugd/7c1f05_0b5dd9074c7c4c46ba93046867d61ebc.pdf?index=true
- https://3f887cbd-9cce-4006-94ad-b2127c79dca2.filesusr.com/ugd/735424_ba702505f75c458d8fd835dfddf720fe.pdf?index=true
- https://ba44754d-92ae-46a2-be9e-2d534ab990d9.filesusr.com/ugd/c83fdb_14fe707f964e4124b8fa109dbcaaf301.pdf?index=true
- https://162ff41b-f30d-4a3b-933e-7b14af52017a.filesusr.com/ugd/592671_e30b29889ca8404697123afbb280dd6a.pdf?index=true
- https://75c56724-8c12-4e19-99d3-dd3f83522690.filesusr.com/ugd/dad7b5_7b818d5e471d4ce7aa8d537a1efaafa9.pdf?index=true
- https://f15c3f32-63b1-4706-823b-b043eb73da42.filesusr.com/ugd/8a4248_77b5cdc70f4b44aaa22fbf1323263af7.pdf?index=true
- https://cdn.shopify.com/s/files/1/0431/3376/3746/files/69713860121.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/28068876324.pdf
- https://cdn.shopify.com/s/files/1/0432/0703/2990/files/spread_footing_design.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006669.bin7fadfd0cbe95fee24a371b861e1a55073894db1a07b4775f1e6d496051f6122f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6669 | 5476 bytes |
font_01_sfnt_off00007908.binff2394e6ea61421cc35be34c73314599d5b3aa7585ec5bb4423788dd64786963 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7908 | 10072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.