MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous links to other PDF files, a technique often used in advance-fee scams to obscure the malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were extracted, the document body and heuristics point towards a phishing or scam lure, likely delivered as a spearphishing attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://dfflooring.net/uploads/1/3/0/4/130489386/5816859.pdf
- http://malakut911.com/uploads/2020/01/27/5755270.pdf
- http://dojeb.kvartiradomkzn.ru/uploads/2020/01/27/bopupifefenobu.pdf
- http://cradleinferno.com/uploads/1/3/0/6/130620645/3529145.pdf
- http://felubima.like-cntr.com/uploads/2020/01/29/1815418.pdf
- http://ministerioslagloriaestuyajesus.org/uploads/1/3/0/4/130476649/5626600.pdf
- http://mut.dumok.club/uploads/2020/01/28/dufizavame_tusijot_bukuxupodexose.pdf
- http://kcideal.com/uploads/1/3/0/6/130639481/2c2216d19a8.pdf
- http://gopef.lermon.ru/uploads/2020/01/27/6310187.pdf
- http://komid.yuridicheskaya-kompaniya52.ru/uploads/2020/01/27/d1267924c4.pdf
- http://nomadicmichelle.com/uploads/1/3/0/5/130588168/5377536.pdf
- http://vineyardlifestiles.com/uploads/1/3/0/5/130551351/721def.pdf
- http://pugu.javcpu.com/uploads/2020/01/28/2c7d2d.pdf
- http://theremeproject.com/uploads/1/3/0/2/130287279/gilivonowinemerogita.pdf
- http://nakedtrackdays.net/uploads/1/3/0/6/130639664/8291932.pdf
- http://toxor.kusatori.info/uploads/2020/01/29/kajirawozod.pdf
- http://lilianbeautycenterspa.com/uploads/1/3/0/6/130604633/pubonopuxutasus-paxusafafe-lalop.pdf
- http://sierraunfiltered.com/uploads/1/3/0/4/130488666/todeleditit-momadabi.pdf
- http://meridianworldschoollibrary.com/uploads/1/3/0/6/130605357/duluxakiravet.pdf
- http://timejulora.belvit.by/uploads/2020/01/29/efd191628e.pdf
- http://thehappygirlstore.com/uploads/1/3/0/3/130379254/130379254.html#affairs+cloud+current+affairs+october+22+2019
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000118c.bina257c6fd8717f5c24fde034e24b0747440b4726bc8737f1e66f61a13266098a9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x118C | 8632 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.