MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the string '2k16 download apk' and the malicious redirector URL, suggesting a lure to download potentially malicious Android application packages. The presence of numerous PDF links, many benign, likely serves to obscure the malicious intent and evade detection.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.link/wix?keyword=2k16+download+apk
- http://files.e67agency.com/uploads/1/3/1/4/131407571/7038982.pdf
- http://files.truewealthfg.com/uploads/1/3/2/7/132710687/migejowo.pdf
- http://files.elixrpickup.com/uploads/1/3/1/4/131438423/xatojojifima.pdf
- https://3cec926c-fd27-4c3d-9b02-f82c4eea4bb5.filesusr.com/ugd/12daa7_9bb45c4520a0414b9ab0489cc51e51fc.pdf?index=true
- https://80312c28-df3b-44c1-b69f-f41246cdf596.filesusr.com/ugd/b73feb_41da1b02f6ef4e7d856aae7126bf297d.pdf?index=true
- https://66b36d59-06ab-4732-aa35-1ebaf4522759.filesusr.com/ugd/3f8d85_0c7b0bb7085e4b38a0a32a4d2be638dd.pdf?index=true
- https://26854c48-a034-4159-9b8c-d4ec716eeb30.filesusr.com/ugd/717a42_6ee954bf55604d2caad585fe13fa479b.pdf?index=true
- https://cdn.shopify.com/s/files/1/0430/7304/4642/files/44995913442.pdf
- https://cdn.shopify.com/s/files/1/0433/5845/3918/files/55611289500.pdf
- https://cdn.shopify.com/s/files/1/0431/5955/2166/files/96468943232.pdf
- https://5dfb6536-a6ae-440a-ab46-b87bee071a4f.filesusr.com/ugd/f09a9d_e92f2bb1cea6417791a7ccd1ffcd0136.pdf?index=true
- https://e08c7630-b5c7-46de-b1b3-09f64f4e4e40.filesusr.com/ugd/b56239_5a5553c5b894419e84431954e4280264.pdf?index=true
- https://11520358-7272-4169-a16e-c95be67cf760.filesusr.com/ugd/96564c_f519638ae0184f8ba872f34a268c3fb0.pdf?index=true
- https://200cbb3a-f808-11ea-a328-fc4dd43d38a6.filesusr.com/ugd/fd4c29_f8822443eeda4fc98dff82760e6ff4bd.pdf?index=true
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005c1c.bin74ad7917dd4de880f0b42cec6377447520fc4ac701b2787f132e0a09a009c6ef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5C1C | 5080 bytes |
font_01_sfnt_off00006d93.bin36d9fbc0689fed82c5d48c963e6f3552919c44c386dcceeb3d2433f463a12c59 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6D93 | 10272 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.