MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a link farm and a direct link to a known malicious redirector, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the primary malicious URL. The heuristic firings confirm the presence of malicious redirector links and a link farm, suggesting the PDF's purpose is to drive traffic to potentially harmful sites. No scripts were extracted from this sample.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ggtraff.ru/mozel?keyword=woods+50009+timer+manual
- https://site-1037218.mozfiles.com/files/1037218/6459231398.pdf
- https://site-1041384.mozfiles.com/files/1041384/nibipekatexifubox.pdf
- https://site-1036880.mozfiles.com/files/1036880/26297100290.pdf
- https://site-1037279.mozfiles.com/files/1037279/vulaxil.pdf
- http://pavelibag.mrwhatley.com/uploads/1/3/1/0/131070197/22b20ddb207f16.pdf
- http://files.cardifftherapy.com/uploads/1/3/0/7/130738889/40b97.pdf
- http://sixopis.perkypelican.com/uploads/1/3/1/6/131637218/721258.pdf
- http://files.turquoisematrix.com/uploads/1/3/2/6/132681481/3658385.pdf
- http://files.xmomentsports.com/uploads/1/3/0/8/130874261/60efb8feec17b3.pdf
- https://site-1036621.mozfiles.com/files/1036621/97098606729.pdf
- https://site-1037018.mozfiles.com/files/1037018/xumikarofatamaduf.pdf
- https://site-1036722.mozfiles.com/files/1036722/rarel.pdf
- https://site-1048190.mozfiles.com/files/1048190/2455096076.pdf
- https://cdn.shopify.com/s/files/1/0500/3444/2390/files/87322631536.pdf
- https://cdn.shopify.com/s/files/1/0440/6080/3237/files/jirijivexo.pdf
- https://cdn.shopify.com/s/files/1/0428/7299/5996/files/roluvogijalilut.pdf
- https://cdn.shopify.com/s/files/1/0268/7621/5482/files/intensive_english_programme.pdf
- https://cdn.shopify.com/s/files/1/0499/2335/8888/files/unblocked_games_hacked_500.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005f72.bin61d708393c582f863ae239031d5b5a4255000b0eec5cd569bc5de19f92211fa2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F72 | 5404 bytes |
font_01_sfnt_off000071ca.bin658319b80871063bc4b6fb6f82d92465bc4cbe4e5626b67ae39a7cf7eaa56257 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x71CA | 10228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.