MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
T1059.001 PowerShell
The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a phishing or SEO spam campaign. The SE_LOLBIN_RUN_COMMAND heuristic indicates the presence of instructions that could involve executing scripts or commands, potentially to download further payloads. The ClamAV detection further confirms its malicious nature as Pdf.Phishing.TtraffRobotInstall-7605656-0.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://mossvalewellbeing.com/uploads/1/3/0/4/130436204/dojumapatewixomumago.pdf
- http://spccmd.com/uploads/1/3/0/6/130604370/laxawom-wudabawuwapi-weropakumikak-viniwuled.pdf
- http://prometheanconcepts.net/uploads/1/3/0/4/130435787/9029105.pdf
- http://thisisallisonlee.com/uploads/1/3/0/5/130588352/c70b04.pdf
- http://mrsheridanenglish.com/uploads/1/3/0/7/130738964/4073546.pdf
- http://newlifeeastla.com/uploads/1/3/0/5/130539355/ec72c.pdf
- http://givingfair.org/uploads/1/3/0/5/130589040/wafabofadiganelob.pdf
- http://sparxelectricalcontractors.com/uploads/1/3/0/4/130477085/5367738.pdf
- http://ppmrktg.com/uploads/1/3/0/7/130740624/pujakeluk-babuvubawitezuw.pdf
- http://mountaincreeklodging.com/uploads/1/3/0/5/130546937/setubovagezitene.pdf
- http://peelsbackhoeservice.com/uploads/1/3/0/5/130539403/kumotikefazimafona.pdf
- http://bettergarages.com/uploads/1/3/0/6/130604949/molupibivuzoru_jadukut_sarozojo.pdf
- http://obhaw.net/uploads/1/3/0/4/130483578/6684125.pdf
- http://carpetcleanerwaukesha.com/uploads/1/3/0/4/130436058/ruzegivabamisokomu.pdf
- http://verrotech-status.com/uploads/1/3/0/6/130605036/darijosulanerawi.pdf
- http://aufstehen-gegen-linksfaschismus.org/uploads/1/3/0/3/130379604/vetilune-bazigap.pdf
- http://bedobecome.co/uploads/1/3/0/8/130874426/sixobasikizuwe.pdf
- http://adamsoilcompany.net/uploads/1/3/0/7/130776228/gamevewibotezoga.pdf
- http://alisondratpiano.com/uploads/1/3/0/7/130738792/dd776454dbaa16c.pdf
- http://belfastdrivered.com/uploads/1/3/0/6/130604757/petapanojaf.pdf
- http://numbersbeathunger.org/uploads/1/3/0/6/130621143/4a84f.pdf
- http://www.bdg.stronghandsenterprises.com/uploads/1/3/0/5/130543053/251b56.pdf
- http://tillercapitalltd.com/uploads/1/3/0/7/130738511/9fb08ceb5dd.pdf
- http://montrealbachelorweekend.com/uploads/1/3/0/5/130539370/nebilemajip.pdf
- http://citizenimmigrant.com/uploads/1/3/0/2/130291471/222673.pdf
- http://adsl-63-204-18-33.benefitplans.org/uploads/1/3/0/7/130776407/130776407.html#affirmations+louise+hay+self+love
- http://ppmrktg.com/uploads/1/3/0/7/130740624/pujakeluk-babuvubawitezuw.pd
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000033e1.bin641e1e77f25eebe0fd1e120156f1bbc5c45afa761a1cf287d38a4e8df5804f75 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x33E1 | 8004 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.