MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1059.003 Windows Command Shell
The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO or traffic redirection. The document body presents a fake error message, instructing the user to press Win+R or paste a command, which is a known social engineering technique (ClickFix) to bypass macro restrictions and trick users into executing malicious commands. The ClamAV detection further confirms its malicious nature, classifying it as a phishing/trojan downloader.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://cpljohnstalvey.com/uploads/1/3/0/7/130775247/7a794bfdfaee5a.pdf
- http://theheartconnectiontolearning.org/uploads/1/3/0/3/130379386/970d95a7c.pdf
- http://www.orangecountyautobarn.com/uploads/1/3/0/5/130588444/jibinabiw.pdf
- http://mondokdentalmexico.com/uploads/1/3/0/2/130288551/36693.pdf
- http://minimalteacher.com/uploads/1/3/0/6/130639099/sozidute-wixavawu-jofuzawuvov-lojunejumapatod.pdf
- http://jibarra.trienekens.es/uploads/1/3/0/3/130312952/3094446.pdf
- http://www.zonduanalytical.co.za/uploads/1/3/0/3/130323319/gogudilisured-zarizozapana-wesegudigute.pdf
- http://miscellaneous-music.com/uploads/1/3/0/2/130289655/7509012.pdf
- http://maliciousprosecution.net/uploads/1/3/0/8/130813797/6690104.pdf
- http://mapleleafmarketing.ca/uploads/1/3/0/7/130776159/5721650.pdf
- http://www.nikkiheyder.com/uploads/1/3/0/4/130476586/513ecd850c22.pdf
- http://telos.studio/uploads/1/3/0/4/130483253/jufibudesimovositoto.pdf
- http://lizardkingmedia.net/uploads/1/3/0/7/130776655/0492c232034629.pdf
- http://www.igclegal.com/uploads/1/3/0/6/130603860/rimalavateto.pdf
- http://redneckridgeriders.com/uploads/1/3/0/4/130483285/lerebogo.pdf
- http://www.thefiftyjackson.com/uploads/1/3/0/8/130874347/0ca3e797e.pdf
- http://willrmccarthy.com/uploads/1/3/0/2/130287284/fanopafeziduzo_rujaker.pdf
- http://skylinedc.org/uploads/1/3/0/4/130490053/9936575.pdf
- http://bakersfieldbirthnetwork.com/uploads/1/3/0/6/130620224/4abd0.pdf
- http://itfacilities.net/uploads/1/3/0/4/130479350/konifu_wojuvodezikozop_dopokojajisukis.pdf
- http://moonlightmods.com/uploads/1/3/0/5/130540176/6ba03.pdf
- http://owenmuirmd.com/uploads/1/3/0/4/130475979/rujefaxitobede_xiluxelanave_wesodemimufo.pdf
- http://badgeyourclassroom.com/uploads/1/3/0/7/130738764/bb663e27d3ea7.pdf
- http://leanneeverettphotography.com/uploads/1/3/0/5/130550743/7052664.pdf
- http://adsl-63-204-18-58.benefitplans.org/uploads/1/3/0/4/130488509/130488509.html#find+adobe+acrobat+2017+serial+number+in+registry
- http://skylinedc.org/uploads/1/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003032.binde7ac0ecbc60ea4a0975efa235658efc914a2099d38dc0bdf2e0330446a47e09 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3032 | 7532 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.