MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains an embedded script payload and a large number of external PDF links, indicating a link farm designed to direct users to potentially malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The embedded script likely facilitates the redirection or download of further payloads.
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gartnergolden.com/uploads/1/3/0/4/130490036/7567217.pdf
- http://k2zmedia.com/uploads/1/3/0/5/130547078/sugatojatojate-rowiv.pdf
- http://trvlrad.com/uploads/1/3/0/4/130483872/b844df21.pdf
- http://collinforcouncil.com/uploads/1/3/0/5/130539437/9682758.pdf
- http://mrcharleys.com/uploads/1/3/0/5/130550783/daxapexoxedegexi.pdf
- http://desotoeaglesfootballboosterclub.com/uploads/1/3/0/2/130288551/misus_viramimo_laxed_rakanudujapupat.pdf
- http://gameofthronesofmuppets.com/uploads/1/3/0/6/130621959/futobotutuf.pdf
- http://shaperofthings.com/uploads/1/3/0/5/130589297/7031913.pdf
- http://www.connectingcoffee.com/uploads/1/3/0/6/130604519/e0704b28f68e5.pdf
- http://www.artbyemmi.com/uploads/1/3/0/5/130539408/426817.pdf
- http://bellarosagarters.com/uploads/1/3/0/2/130273752/fekilakikoko.pdf
- http://mtidaarkansas.com/uploads/1/3/0/6/130620410/faxazib_nemedawokexo_savukinatepujek.pdf
- http://jizhoudaoduchangcns.br3h.com/uploads/1/3/0/7/130738971/130738971.html#query+fsmo+roles+powershell
- http://www.connectingcoffee.com/uploads/1/3/0/6/130604519/e0704b28f68e5.p
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_00000070.bin1fc9f053adee181ffa060297caa493da60d37899e8d6a5d2b5e398f2b76224c2 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x70 | 41844 bytes |
|
Detection
ClamAV:
Pdf.Phishing.TtraffRobotInstall-7605656-0
Obfuscation or payload:
likely
Carved artifact contains 3 shell/COM execution token(s).
|
|||
font_00_sfnt_off000028df.bin1e885d60cbf87b2d121aee0ffcf9c2a1d54f1fd6ac0bf31fbb9be380a7329283 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x28DF | 9208 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.