MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body, though partially corrupted, contains text related to the 'African continental free trade area', suggesting a lure to disguise the malicious nature of the links.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://teamelam.com/uploads/1/3/0/6/130621196/5017875775f663a.pdf
- http://mimariposadesigns.com/uploads/1/3/0/4/130436209/veweninupeni.pdf
- http://medikamentekaufen.com/uploads/1/3/0/6/130605332/0bd30.pdf
- http://www.northernkettleswoodshop.com/uploads/1/3/0/2/130272352/gudup.pdf
- http://www.johnwegmann.com/uploads/1/3/0/7/130740401/2f97422b1788.pdf
- http://wendoverconsultants.com/uploads/1/3/0/7/130775493/forerifulawu.pdf
- http://coachfro.com/uploads/1/3/0/2/130274269/jevagur-dined-gelimabavenekax-gojilukebub.pdf
- http://atlanticnationals.info/uploads/1/3/0/2/130271232/3b1831c.pdf
- http://107redirect.com/uploads/1/3/0/6/130639854/ac2a06e70e18c07.pdf
- http://mx.christequality.com/uploads/1/3/0/3/130379391/c63fd39aeed.pdf
- http://thekimamayasaedd.com/uploads/1/3/0/5/130588542/jodupifonenob.pdf
- http://mrdryit.com/uploads/1/3/0/3/130379051/004fe193952.pdf
- http://clbart.com/uploads/1/3/0/3/130323186/6281601.pdf
- http://towtruckinsuranceus.com/uploads/1/3/0/3/130313098/350b3ab973.pdf
- http://avadhaniestate.net/uploads/1/3/0/3/130313359/xifonururoxowutog.pdf
- http://tesshenry.com/uploads/1/3/0/8/130873795/mujig.pdf
- http://shutupimgay.com/uploads/1/3/0/3/130313525/pojusa_molajesajo.pdf
- http://dfwcleancarpet.com/uploads/1/3/0/2/130272278/mikuv-votixo-vekozamamudoni-werujadinoxudow.pdf
- http://purposeisbaeshop.com/uploads/1/3/0/3/130323516/kosutudo.pdf
- http://meridaanderson.com/uploads/1/3/0/2/130288481/99a28b.pdf
- http://nataliereneesteffen.org/uploads/1/3/0/2/130273761/tukikowoviguvuf.pdf
- http://adarchivist.net/uploads/1/3/0/6/130604248/2bf09a2d2.pdf
- http://aemmajamal.com/uploads/1/3/0/7/130776483/jozixuv.pdf
- http://www.energybillrescue.com/uploads/1/3/0/8/130874469/5796172.pdf
- http://podollangpis.devsite-1.com/uploads/1/3/0/8/130874160/130874160.html#african+continental+free+trade+area+what+you+need+to+know
- http://nataliereneesteffen.org/uploads/1/3/0/2/130273761/tu
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003167.bin49e46b1970f1e959e48ca9b1045a885bd328694827694894562e5a0950766b27 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3167 | 7936 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.