MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a lure for a fake 'ews certificate rajasthan form download' and a visual download button. It also hosts a large number of external PDF links, many pointing to files with numeric slugs, suggesting a link farm or SEO abuse tactic. The primary URL http://cpanel.collegedemsatiu.com/uploads/1/3/0/5/130550774/130550774.html#ews+certificate+rajasthan+form+download and the linked PDF http://fonmeadow.com/uploads/1/3/0/7/130775505/gutodoxapabe.pdf are suspicious and likely serve as part of the initial infection vector.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cpanel.collegedemsatiu.com/uploads/1/3/0/5/130550774/130550774.html#ews+certificate+rajasthan+form+download
- http://fonmeadow.com/uploads/1/3/0/7/130775505/gutodoxapabe.pdf
- http://get-creative.net/uploads/1/3/0/4/130476506/javudibawo.pdf
- http://candfbonding.com/uploads/1/3/0/3/130323479/vijimazeliwilef.pdf
- http://www.gloingcreativity.com/uploads/1/3/0/4/130489230/7096a73.pdf
- http://generationzen.net/uploads/1/3/0/8/130814112/womoxeded_pegonuki.pdf
- http://justscarves.net/uploads/1/3/0/7/130776757/duvavobo-warixar-tisabubivibe-vowonot.pdf
- http://smartmobilityinc.com/uploads/1/3/0/5/130539125/lufatitedapexamudapa.pdf
- http://cflucktraining.com/uploads/1/3/0/7/130776295/1127115.pdf
- http://www.rijkewijnen.nl/uploads/1/3/0/6/130620632/8335104.pdf
- http://ndbc-shanghai.com/uploads/1/3/0/5/130552106/sovij-barotow-rimedaw.pdf
- http://communityspanish.com/uploads/1/3/0/4/130483981/nuxisusiniripa_favagabumamew_susorizubegutu_zubevoviwa.pdf
- http://brazilstars.soccer/uploads/1/3/0/7/130738719/vefarulufokoki.pdf
- http://philanimalrescue.org/uploads/1/3/0/6/130639646/9057234.pdf
- http://myonlinefashionmary.com/uploads/1/3/0/6/130640239/kuzewixezoga.pdf
- http://www.flowersofloveandpeace.org/uploads/1/3/0/9/130969294/kinisomagajodewe.pdf
- http://www.munchkin-monitor.com/uploads/1/3/0/4/130476760/9761649.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00009922.binf3d9b916f99ca22c6a8bd9165c46cc8067527a80793ddc711e650ba63891b95e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9922 | 8004 bytes |
font_01_sfnt_off0000b827.bind907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB827 | 2616 bytes |
font_02_sfnt_off0000c15b.binf31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC15B | 16204 bytes |
font_03_sfnt_off0000d689.bin44d2ddb57b3d45b72a8ca13df1ddf9c29eefc837ba60eda2f797abcbf11bf2ce |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD689 | 17248 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.