MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
T1059.001 PowerShell
The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This technique is commonly used for phishing campaigns or to distribute further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malicious redirection intent. No scripts were extracted from this sample.
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://parkplacedepot.com/uploads/1/3/0/3/130313082/bipetamabatuf-tafegozitubape-potozivug.pdf
- http://mta114.qualitynow.net/uploads/1/3/0/4/130489418/1290649.pdf
- http://envyious.com/uploads/1/3/0/5/130588480/jujexema.pdf
- http://www.elliebustamante.com/uploads/1/3/0/6/130604505/eaad3daaa1c71d.pdf
- http://canepaahclp.com/uploads/1/3/0/3/130323892/6398598.pdf
- http://mosholudaycamp.com/uploads/1/3/0/3/130313320/renusa_bojutoxefoka.pdf
- http://swearingenfamily.com/uploads/1/3/0/5/130588232/c0445fe83.pdf
- http://bikeguyslc.com/uploads/1/3/0/5/130588442/8570228.pdf
- http://thestarlightclub.com/uploads/1/3/0/6/130621901/60409bd434a6e.pdf
- http://brytnsduds4donors.org/uploads/1/3/0/6/130603824/gapexerenenadewataji.pdf
- http://jfainnovative.com/uploads/1/3/0/6/130604492/5500086.pdf
- http://www.drkatieskitchen.com/uploads/1/3/0/4/130483350/guxuzusisoru_dutos_meloxusexa_fuzev.pdf
- http://mail.xenastrategies.com/uploads/1/3/0/7/130738705/memaku_daxexifipo_kularuposekokod.pdf
- http://baronyofthelonelytower.org/uploads/1/3/0/6/130621277/6c0041442.pdf
- http://hostmaster.townsendcars.co.uk/uploads/1/3/0/5/130551303/d61de51540ea.pdf
- http://neilgeyette.com/uploads/1/3/0/7/130738711/zenovijer.pdf
- http://scahistoricalsociety.com/uploads/1/3/0/6/130639098/zuzakomidodunedipivo.pdf
- http://almacca.com/uploads/1/3/0/2/130289392/0fa02.pdf
- http://creatingtheconditionsfortransformation.com/uploads/1/3/0/4/130475980/1022245.pdf
- http://www.surgicoordinator.net/uploads/1/3/0/4/130435622/35aa03fa760596e.pdf
- http://www.shiying-cheng.com/uploads/1/3/0/2/130272586/c8e58.pdf
- http://eycongrats.com/uploads/1/3/0/5/130551864/5798740.pdf
- http://kyidealroofing.com/uploads/1/3/0/6/130604996/5552195.pdf
- http://mymountainstories.com/uploads/1/3/0/7/130740110/kepuna.pdf
- http://74-123-77-77.mgwnet.com/uploads/1/3/0/6/130639690/130639690.html#characteristic+ir+absorption+of+functional+groups
- http://brytnsduds4donors.org/uploa
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003186.bin57d6e63e99d889981e260268493a79c6cd61aee50b56242e624f4c4d43ebda92 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3186 | 2600 bytes |
font_01_sfnt_off00003d47.bin7a9f9b5c7931a600accd43f82ccd1e42d4ba6beedcd6967b4d2bbe0699f9b3ef |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3D47 | 8324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.