MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document attempts to trick the user into installing a browser extension or update. This, combined with the ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall', strongly suggests a phishing or malware distribution campaign. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://seka.kanomtravel.com/uploads/2020/01/27/fomijo_timufebewazid.pdf
- https://xobofasufo.weebly.com/uploads/1/3/0/2/130289583/5235932.pdf
- http://allacadenza.com/uploads/1/3/0/5/130588477/5dc70c57a0.pdf
- http://witteringsfitness.com/uploads/1/3/0/4/130476098/xarati_wujuvajob_kapofubo.pdf
- http://vrkuzbass.online/uploads/2020/01/28/sugexuvutomuwa_xaguw_sapigeli_bexaweke.pdf
- http://neurodevelopmentandhealingbydesign.com/uploads/1/3/0/3/130323835/finez.pdf
- http://jornalistavitogemaque.com/uploads/2020/01/27/5953125bfc65c3.pdf
- http://wube.csgowins.pw/uploads/2020/01/28/balenika_rirobusi.pdf
- http://gano.antivirussguardingservice.xyz/uploads/2020/01/28/wamalabafulezumimufi.pdf
- http://vivinewi.sparepartsjumberca.com/uploads/2020/01/27/6f056e4dbe80e5.pdf
- http://dsg-logistika.ru/uploads/2020/01/28/lenagisepudajoz_suwamolefojuvu_zadanejabus.pdf
- http://teianalytical.com/uploads/1/3/0/5/130588849/wavuginup_venemokalal_burilozozoma_tedumidumefe.pdf
- http://theplugalex.com/uploads/1/3/0/6/130604864/7453911.pdf
- http://bluesteelradio.com/uploads/1/3/0/6/130621397/0a772a04df.pdf
- http://bidosu.care-store.ru/uploads/2020/01/28/nofiw_vamuleveguguj.pdf
- http://zawufi.atimer.net/uploads/2020/01/28/dapusop.pdf
- http://winpay.fun/uploads/2020/01/28/xapomoroji-bukukoz-subetekakuwugix-bubemasimamuto.pdf
- http://a1experts.net/uploads/1/3/0/4/130435902/kipumo_ralemusepapoguf_sonibimegezu_pukogogesud.pdf
- http://nulofibuzo.telelistamg.com/uploads/2020/01/28/muneloladuga.pdf
- http://maaloufbrothers.com/uploads/1/3/0/4/130476313/130476313.html#download+hello+neighbor+alpha+4
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000185a.bin6c392af7a6e2863e1b1790e608e5e748c963f8b94f691b6d126f6b1b292cef80 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x185A | 8716 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.