MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection strategy. ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 and the ML classifier output further support its malicious nature. The embedded URLs are likely used to distribute further malicious content or phishing pages.
Machine Learning
- Nyx PDF Classifier malicious score 0.9988
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fortworthcardshow.com/uploads/1/3/0/5/130542935/bawipumowudeb.pdf
- http://sophiaeportfolio.com/uploads/1/3/0/5/130590059/1617438.pdf
- http://mtgcustomcards.com/uploads/1/3/0/6/130620889/8aba3ad56e38cc.pdf
- http://melodyarcade.net/uploads/1/3/0/5/130590363/46c9fc4fa9268.pdf
- http://hollywoodmediacampus.com/uploads/1/3/0/5/130550836/muler.pdf
- http://breimhurst.com/uploads/1/3/0/3/130323322/d736d9de3be5518.pdf
- http://craneandrigging.solutions/uploads/1/3/0/8/130874570/267b1996d.pdf
- http://yearingreen.com/uploads/1/3/0/6/130621457/ratarimudiv.pdf
- http://drelman.com/uploads/1/3/0/7/130740502/2903162.pdf
- http://abundantlivingbytyrolea.com/uploads/1/3/0/5/130550790/4151fc48b6d7c.pdf
- http://emotracing.com/uploads/1/3/0/6/130639805/4841210.pdf
- http://qwodo.com/uploads/1/3/0/7/130775610/8837360.pdf
- http://quadgear.org/uploads/1/3/0/7/130775241/16f41b66945f.pdf
- http://wildxadventures.com/uploads/1/3/0/6/130620159/9112906.pdf
- http://jesusonprophecy.net/uploads/1/3/0/4/130489377/dikose_wetojijesirufag_sosojox_ramefawopuze.pdf
- http://illuminopoly.com/uploads/1/3/0/6/130621134/5310dcea.pdf
- http://mail.gilmont.org/uploads/1/3/0/5/130551341/8683754.pdf
- http://impulsandotusfinanzas.com/uploads/1/3/0/2/130289748/9861272.pdf
- http://purplestore.net/uploads/1/3/0/6/130620547/favazajokitapi.pdf
- http://honeycombbooks.org/uploads/1/3/0/2/130288329/34e10cdbd399e67.pdf
- http://cryptopalz.com/uploads/1/3/0/3/130323471/5373769.pdf
- http://reinvestingdeals.com/uploads/1/3/0/4/130483634/130483634.html#online+hindi+mangal+font+typing
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004eee.bin1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4EEE | 1388 bytes |
font_01_sfnt_off00005865.bin6ec3d582d4036b4d691ce0dc1048ea4e488c01d3351a1b262bf390d78a09cc1a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5865 | 15048 bytes |
font_02_sfnt_off00008261.binc70379ea1efc1fe31f926f2a0124b8e35118627020b76a75e6667f792e1b6db2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8261 | 8004 bytes |
font_03_sfnt_off00009d8a.bin779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D8A | 16036 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.