MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a mass external link farm, with numerous URLs pointing to other PDF files, suggesting a distribution mechanism for malicious content. The presence of a "Click here to download" lure further supports a phishing or social engineering attack. The document's content and structure indicate an attempt to trick users into downloading further payloads from the linked domains.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pgdsweden.biz/uploads/1/3/0/9/130969945/130969945.html#input+file+upload+style
- http://www.frisco-auto-detailing.com/uploads/1/3/0/7/130776343/pamapo.pdf
- http://shaunesinclair.com/uploads/1/3/0/6/130604973/7665939.pdf
- http://fivem.lsbrpc.net/uploads/1/3/0/7/130775819/poxilazalenuwis.pdf
- http://taxauctiontitle.com/uploads/1/3/0/5/130588289/1177401.pdf
- http://connectnumbers.com/uploads/1/3/0/3/130313087/7378679.pdf
- http://www.parkviewrealty.co.uk/uploads/1/3/0/2/130271013/lasovu.pdf
- http://www.moonflowerproduction.com/uploads/1/3/0/7/130740385/fitizup-rugejekadosakuj-zemelojabarekon.pdf
- http://mail.pianotunerman.com/uploads/1/3/0/6/130640048/5799482.pdf
- http://hostmaster.sharhazlah.co.uk/uploads/1/3/0/7/130739786/tuzeteporomuti-vivufar-siwomedeva-nasujeli.pdf
- http://michiganlegalmalpracticequestions.com/uploads/1/3/0/6/130605240/6446b6751109.pdf
- http://nuvoink.com/uploads/1/3/0/5/130588442/wedelapojifij.pdf
- http://www.boulcars.com/uploads/1/3/0/3/130379412/jefopet.pdf
- http://webdisk.vayaocandles.com/uploads/1/3/0/6/130639613/fd26dd829.pdf
- http://croquesandtoques.com/uploads/1/3/0/8/130815097/tuladezago-wadafuxonas.pdf
- http://sawbible.com/uploads/1/3/0/4/130435791/nesejapajovod.pdf
- http://3mfarmandranch.com/uploads/1/3/0/5/130590191/4557126.pdf
- http://monkeygripmaterials.com/uploads/1/3/0/6/130621995/856734ae3d0632.pdf
- http://autodiscover.iolascott.com/uploads/1/3/0/6/130639824/melipa-kugero.pdf
- http://transcendyoga.ca/uploads/1/3/0/6/130604740/7595412.pdf
- http://thebigbigbucks.com/uploads/1/3/0/4/130483253/b8349bcbd.pdf
- http://simplinowtribe.club/uploads/1/3/0/3/130313613/3b57349bcb2e.pdf
- http://bindboard.com/uploads/1/3/0/5/130590164/1ba3214465.pdf
- http://ptc.company.com/uploads/1/3/0/3/130379363/farugimizega_memifuvuxanozim_wetujujazasume_mikogekiborax.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007f7d.bin5a6d4b51a5410c8ef3537c7306f456192f26bdee4869900514eeb76c5ffb3698 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7F7D | 9708 bytes |
font_01_sfnt_off0000a428.bin0c8b636322dcb4d69dd08a763b09c4b5ff2b7ea73056f43add13012560a79e6e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA428 | 16076 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.