Malicious PDF — malware analysis report

Heuristics 4

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ttraff.me/wix?keyword=tucson+craigslist+for+sale

  • https://774a96c2-0929-4681-9378-f6b8dd2c62bc.filesusr.com/ugd/97368a_80b7f5eaaeab43b59d8acc8daef95d96.pdf?index=true
  • https://52124eac-ed92-4c77-bc6c-79a1706d6e5c.filesusr.com/ugd/7198c1_090dc881256241cf8733d329cbbafc51.pdf?index=true
  • https://d203c826-884f-4400-a7b1-dd57d7a70747.filesusr.com/ugd/f390e7_dac5cbee9b5046bf83dcc7077c9c9ce5.pdf?index=true
  • https://10cf9714-420b-4428-88b5-acd5e445c682.filesusr.com/ugd/e2c223_df9f72084fbc49c4b964e862ac9bb3ff.pdf?index=true
  • https://a79fcb59-c81b-4f37-a7ad-e503ad114f95.filesusr.com/ugd/65b209_ecfa023138c84ea9b16ed6ffc1c2c323.pdf?index=true
  • https://695709a8-1d20-41e9-b004-5bc2b3579309.filesusr.com/ugd/10b03a_a57e5c4abde642b784965c0823f329a4.pdf?index=true
  • https://20f2c4eb-fb1d-4a63-896a-717f0a1f9fcd.filesusr.com/ugd/32777b_75831c177df14c688325c4ba8ace4e72.pdf?index=true
  • https://9f355c15-b124-47e1-838a-ec24b6103ec2.filesusr.com/ugd/3f4b99_86fb954fe15240edaa04fdd6a2273ade.pdf?index=true
  • https://f8c6d7e5-85dd-43b2-880b-c02aced65a80.filesusr.com/ugd/132250_76f2619e08524fb59189aa2fad962d1e.pdf?index=true
  • https://aa98ecc3-44fa-4e14-9a7d-36280efbda91.filesusr.com/ugd/54dfea_1ac5adc8384943018cc737bfab90a4e4.pdf?index=true
  • https://395d350b-579a-46b3-8866-3a0fbf98e51f.filesusr.com/ugd/87ad98_44c567c6ef254389a9ff071db6c46772.pdf?index=true
  • https://c1c74a94-0cd7-4a82-886f-ef0e85656ea4.filesusr.com/ugd/85d67f_ff41204874bc45f984cefb7191345801.pdf?index=true
  • https://e5cd00f1-4ed7-41ae-9672-2c24e02ecf8e.filesusr.com/ugd/b0c717_c71fe0790ce34799a45d0b041f543ed5.pdf?index=true
  • https://0f39cbe4-5040-4967-b0b2-0ea15c1508ae.filesusr.com/ugd/724bd4_60f9fc9a9cdd459a8a06fadaaca803d2.pdf?index=true
  • https://54d0093e-5697-4cd0-bcfb-cfde2feeb44e.filesusr.com/ugd/12dc78_f1cf4e8edbcf46308cd3e20426232ad7.pdf?index=true
  • https://5396a4e3-2b92-4183-a7b0-191979271a02.filesusr.com/ugd/455f95_968dad583b7f406891a44c3b94175c25.pdf?index=true
  • https://80a2ab07-f52f-446d-ae32-cdffad60a561.filesusr.com/ugd/fd7405_732bad7169194824ae81f5ff42a7a7c1.pdf?index=true
  • https://983442ea-d21e-432a-91ce-c42e448ebdd9.filesusr.com/ugd/ec0012_3af7808324f0480dbcd3d1e24dccc6b5.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • https://0f39cbe4-5040-4967-b0b2-0ea15c1508ae.filesusr.com/ugd/724bd4_60f9fc9a9cdd459a8a06fadaaca803d2.pd

Open this report in the interactive analyzer, or submit your own file for analysis.