MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains, indicative of a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'PDF_SEO_LINK_FARM' heuristic strongly suggest a malicious intent, likely related to phishing or driving traffic to malicious content. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://noahcwhite.com/uploads/1/3/0/6/130639621/9856095.pdf
- http://motomarriage.com/uploads/1/3/0/7/130776676/depewi_pikisepo.pdf
- http://nativeroots-design.com/uploads/1/3/0/2/130272389/sivuresof.pdf
- http://fastcooker.net/uploads/1/3/0/5/130540021/xuzaxufutote-polati.pdf
- http://productionalgarve.com/uploads/1/3/0/7/130739490/2657745.pdf
- http://canon-services.com/uploads/1/3/0/7/130739288/9117575.pdf
- http://zenoclinical.com/uploads/1/3/0/4/130489909/9217886.pdf
- http://alphabeastholsters.com/uploads/1/3/0/7/130738596/gigowulera_pukuw_vexitopunipave.pdf
- http://iwffn.com/uploads/1/3/0/6/130603980/3eba148d1c48006.pdf
- http://centralmarketdistrict.org/uploads/1/3/0/5/130588502/mefewoxe_wilozoxeporo_kafinuxisa.pdf
- http://www.toptiercontractingllc.com/uploads/1/3/0/4/130489563/3128400.pdf
- http://webmail.california-state-roleplay.com/uploads/1/3/0/3/130379528/9a79f4453ced1.pdf
- http://djfrofessor.com/uploads/1/3/0/6/130639230/774dd27b787.pdf
- http://www.azchoiceproperties.com/uploads/1/3/0/5/130540461/fa5f9808994de.pdf
- http://mail.jillianhinds.com/uploads/1/3/0/6/130604778/fivoloz-kipabiboxad-taxobuninuf.pdf
- http://royalcityessentials.com/uploads/1/3/0/6/130603917/4667847.pdf
- http://performanceinc.club/uploads/1/3/0/6/130620467/zotomanaxawilek-mogavazepolezu-kakulon-mizid.pdf
- http://spiritjooga.com/uploads/1/3/0/4/130435982/nirixe.pdf
- http://basecamp-branding.com/uploads/1/3/0/5/130589278/4158551.pdf
- http://littlestofthings.com/uploads/1/3/0/5/130588295/fezovat.pdf
- http://qbedsandbedding.com/uploads/1/3/0/5/130551253/nuvofa.pdf
- http://samkhamis.com/uploads/1/3/0/7/130739240/dawerid.pdf
- http://plannedunparenthood.net/uploads/1/3/0/7/130740212/2426691.pdf
- http://www.reneva.nl/uploads/1/3/0/7/130739570/papisozape.pdf
- http://yourpackaging.design/uploads/1/3/0/7/130775201/pitibikarumexa.pdf
- http://vps11-internal.pleasingfood.com/uploads/1/3/0/6/130603728/130603728.html#a+discovery+of+witches+cast+episode+1
- http://iwffn.com/upl
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003176.bin7da429c78141bb43a71ef922acdba153775ff87e6d40bc7c8a4778aa7c02f676 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3176 | 8012 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.