MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a link farm with 31 external links, many of which point to PDF files hosted on various domains. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'SE_URGENCY_LURE' heuristic indicate a phishing attempt. The document body, though heavily obfuscated, contains text related to 'Gestational hypertension', which is likely a lure to disguise the malicious intent. The primary attack pattern involves directing users to a large number of external PDF files, likely for credential harvesting or malware distribution.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://daygroupcompany.com/uploads/1/3/0/4/130477335/redabot.pdf
- http://dhillon-s-ltd.com/uploads/1/3/0/5/130540604/6544193.pdf
- http://realtimecases.org/uploads/1/3/0/8/130813115/vodexetigi-pajukonipu-fukonitoduda.pdf
- http://networkinginhighheels.com/uploads/1/3/0/3/130379158/daxuzozimivu-masoxudikugepe.pdf
- http://www.fiercenfreshfastball.com/uploads/1/3/0/5/130552016/c57795a8.pdf
- http://canyonman.org/uploads/1/3/0/6/130640069/fimafute_pomepepesi.pdf
- http://spuggey.com/uploads/1/3/0/7/130775182/3075423.pdf
- http://texas2stepfilm.com/uploads/1/3/0/6/130620506/xatiwane.pdf
- http://whosyourhoosier.com/uploads/1/3/0/6/130620670/ece3395e9d42.pdf
- http://transformingliveschurch.org/uploads/1/3/0/5/130590618/vunasoxagijelizin.pdf
- http://simplywildsage.com/uploads/1/3/0/7/130776571/bogotetika.pdf
- http://dirtysouthkickballopen.com/uploads/1/3/0/5/130588165/704cfc372e5c.pdf
- http://trippystrippy.com/uploads/1/3/0/9/130969411/fee1521b7.pdf
- http://dollywoodshirts.com/uploads/1/3/0/2/130288751/3220842.pdf
- http://houstonrealtorleads.com/uploads/1/3/0/2/130270796/pexevepebegan_pujoj.pdf
- http://alloexo.com/uploads/1/3/0/7/130776158/womezo.pdf
- http://meddin.space/uploads/1/3/0/2/130288720/ffd4e98.pdf
- http://bosselitehockey.com/uploads/1/3/0/2/130288559/aa3dce.pdf
- http://tianboguojiyulechengxinyuzenyang.f18.ebkf.org/uploads/1/3/0/5/130588294/ed94ea6c.pdf
- http://callarelli.com/uploads/1/3/0/6/130621143/7311921.pdf
- http://alpenalaw.com/uploads/1/3/0/9/130969905/dadikup-vinakujatuvefo.pdf
- http://x0750835xstreamtravel.xsideas.com/uploads/1/3/0/3/130323568/130323568.html#gestational+hypertension+means
- http://transformingliveschurch.org/uploads/1/3/0/5/130590618/vunasoxagijelizin.pd
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004259.bin1a31ae148aa4af7763392fe954e924425a92485837aa085ee7fbb165703794ca |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4259 | 2636 bytes |
font_01_sfnt_off00004e8d.binf205d04c00f73451428b22ca1806ee351c9ecf9dfd9a0829775a1d1b9a3906aa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4E8D | 9436 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.