Malware Insights
The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=marie+kondo+pdf+download'. Additionally, it exhibits a PDF link farm heuristic, indicating a large number of external links, with 'https://ec6d9806-5936-49de-948d-5cc7cd7c0ae9.filesusr.com/ugd/a48928_bf20a180be0f48b7aee246ebb5dd0c4f.pdf?index=true' being the first identified. The document body, though heavily obfuscated, also contains these URLs, suggesting a lure to download potentially malicious content disguised as a 'Marie Kondo PDF download'. No scripts were extracted, and the document structure itself is the primary vector for the attack.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.me/wix?keyword=marie+kondo+pdf+download
- http://files.pdi-nusacc.org/uploads/1/3/1/3/131381288/konudumeluzen.pdf
- http://bapomuno.gapple-co.com/uploads/1/3/0/9/130969430/riwekewowosepo_kolubazovosaj_nuwofarove_tawelunawipi.pdf
- https://ec6d9806-5936-49de-948d-5cc7cd7c0ae9.filesusr.com/ugd/a48928_bf20a180be0f48b7aee246ebb5dd0c4f.pdf?index=true
- https://4b6aaacc-86e7-4ac3-a570-791e82eeea47.filesusr.com/ugd/bc84a3_16226a1210d24075bb74819eb70e1bff.pdf?index=true
- https://4caa3b34-0aa7-4f4e-9d1c-21aa934d2113.filesusr.com/ugd/296484_0274741e266a4e7cb157cfea6d6ff00f.pdf?index=true
- https://302285c2-e1ed-45e4-aa54-e67ae379b28c.filesusr.com/ugd/17beed_e518afb8151c46d1ba98a517254482b9.pdf?index=true
- https://c7c9de8d-2469-4cdb-bfe1-ac9e2bb01f9b.filesusr.com/ugd/7a11b0_cb05f6326ebb43dda595e85dde964f01.pdf?index=true
- https://f955907a-e25f-4792-a0a3-ffcf2955f075.filesusr.com/ugd/a9248e_f5832d4ad9fb4df483ac3658e39711fa.pdf?index=true
- https://ce4801fb-d41c-4788-b8b2-a686d64c02fc.filesusr.com/ugd/4c3ae3_ebc3079480ab4214bf557082eb013100.pdf?index=true
- https://b7042b08-41af-4e58-8245-a436562f0cf6.filesusr.com/ugd/33a2e4_568e98d04d4e4171969c6020fde845f4.pdf?index=true
- https://94f9906f-a76f-4f65-85c4-049496cca471.filesusr.com/ugd/bdc04d_e021ca6df477483ead8ec4e1ec766c44.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005eb1.bin6eed4d30412eef616738ea2dc0e2fb6c267f8c7ec0607cd785ef041796636660 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5EB1 | 5020 bytes |
font_01_sfnt_off00006ff7.bin3135a03d00bcf4803585962e4481e1c9319e753d97ce102660e474e5e59b375a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6FF7 | 10224 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.