MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF document contains numerous embedded links to external PDF files, a common tactic for SEO poisoning and redirecting users to malicious sites. Heuristics indicate this is an advance-fee scam and a payment redirection lure, suggesting the linked PDFs are designed to trick users into making fraudulent payments or divulging sensitive financial information. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://intentionalfitness.club/uploads/1/3/0/4/130490719/sevufomumivelosawum.pdf
- http://mexiitem.com/uploads/1/3/0/7/130776502/7792478.pdf
- http://mpcaa.net/uploads/1/3/0/6/130603968/6258860.pdf
- http://caseylieberman.com/uploads/1/3/0/4/130483766/pobunisutabatugob.pdf
- http://thehappyvisionarycoach.com/uploads/1/3/0/7/130775821/e3a4a3b9483a362.pdf
- http://auctionsumo.com/uploads/1/3/0/2/130271212/sesadak_muvonirizubum_vobivonexi_sewaboxiluso.pdf
- http://rubberbymok.com/uploads/1/3/0/5/130539238/585215.pdf
- http://johnsonjaguarband.net/uploads/1/3/0/6/130621435/7384308.pdf
- http://sugooi.com/uploads/1/3/0/3/130379143/zajafiridi_pufitade.pdf
- http://veteransretreatcenter.com/uploads/1/3/0/6/130604144/sekamiwud_runivaki.pdf
- http://smootherwaters.com/uploads/1/3/0/7/130740551/1226f29fce42cb.pdf
- http://stilettosandshotguns.com/uploads/1/3/0/6/130639652/260235b793.pdf
- http://myleegen.com/uploads/1/3/0/3/130313049/3382928.pdf
- http://nicegiant.com/uploads/1/3/0/6/130604772/zugofukapadanaxugato.pdf
- http://333-tools.com/uploads/1/3/0/4/130483428/fifuxe.pdf
- http://bodyprojecttreatment.com/uploads/1/3/0/6/130639436/7882574.pdf
- http://mingrentang.bpmtc.com/uploads/1/3/0/5/130588240/130588240.html#where+to+file+form+i-134+affidavit+of+support
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004815.bin50c9f9bdbb18f697aa15e7ac76f11d93b9f0c7b00f2f11337cdd7051ce21f5e7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4815 | 8140 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.