Malicious PDF — malware analysis report

Heuristics 7

• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
  Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
• ClickFix social engineering attack high SE_CLICKFIX
  Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ggtraff.ru/strik?keyword=mac+os+high+sierra+iso+bootable+usb In PDF document text

  • https://cdn-cms.f-static.net/uploads/4373755/normal_5f893bab7390f.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4374685/normal_5f8a60b0c5986.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4365652/normal_5f87ef9108271.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4374835/normal_5f8b379780463.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://uploads.strikinglycdn.com/files/013228d1-d15b-4f04-89be-f1ccb49466ce/98401595347.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/49012067-3eb4-4bc0-9159-dba0b0773c03/tikokawuwazafixagu.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/ea954a1f-233d-45c0-a7d7-aafe2c39be37/nininili.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/62163eb4-6fc4-483f-89a0-a37c07617b73/57545893726.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/bb3c82aa-44a7-45e4-ae67-d9a7cbbe2d9a/32302505584.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/bff33a96-8400-4926-9db3-5138355e93d0/71195902282.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/307fa477-bd71-470c-b54b-b1b43c0414f3/bogule.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/80e74289-106f-48ab-a909-813d1b277459/fozovemabu.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0460/7885/3284/files/vonurajajexijaretomirezuk.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0434/4456/8216/files/gospel_of_mary_magdalene_download.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0432/0926/1220/files/signos_de_admiracion_en_frances.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0430/1219/4457/files/zivawuviwinadulisof.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0495/9204/1624/files/code_vein_hermes_vestige_2.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0483/9440/3989/files/danielle_steel_francais.pdfIn PDF document text
  • https://cdn.shopify.com/s/files/1/0482/3905/0906/files/most_important_part_of_woman_body.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/cfe172c0-97f0-4100-8d4c-dfb823f45047/50936216937.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/ca474e6f-201e-4e47-be37-7cd979e9b86a/93651583159.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/b8a1b2cc-56df-4cf5-b4fa-4e202cc41dd5/44669313169.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/75f29fa4-08cd-46b4-af69-a358507cf90a/81529193002.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/761cfc9b-a4e0-4bf2-ab20-8c166aea4d44/bezijepenilojanakivanoko.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.