MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. No scripts were extracted, and the document body content is heavily obfuscated and truncated, making it difficult to ascertain a specific lure.
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://interstellarbrands.com/uploads/1/3/0/3/130323190/5b4ad21b98b6.pdf
- http://checkthem.in/uploads/1/3/0/6/130604179/wirodafiberaze_tulimazeg_boris_puzezijusixoza.pdf
- http://royalelksewing.com/uploads/1/3/0/7/130740251/6653499.pdf
- http://risingskyweddings.com/uploads/1/3/0/7/130776889/dovodurezapopomarino.pdf
- http://rangakvernberg.com/uploads/1/3/0/6/130620637/tidemunepo.pdf
- http://funneladdicts.com/uploads/1/3/0/8/130873855/jujifumu.pdf
- http://believeitornotphotography.com/uploads/1/3/0/6/130604862/1c70d1357e7.pdf
- http://dorothyradio.com/uploads/1/3/0/5/130589056/wubonunesagenegemila.pdf
- http://nasty-man.com/uploads/1/3/0/7/130739197/4ec879ad.pdf
- http://alexandrethiery.com/uploads/1/3/0/4/130476703/3eaa258.pdf
- http://lab-dentalevolution.com/uploads/1/3/0/4/130476307/rifato-januse-kepimolexomapa-ramikijusizaxa.pdf
- http://www.hphotographic.co.uk/uploads/1/3/0/8/130874485/korefiwonap-vomuvusosipep.pdf
- http://mail2.widebaymotorcomplex.com/uploads/1/3/0/6/130604255/paguxalamiki.pdf
- http://babygearrentalslu.com/uploads/1/3/0/4/130476242/pixexuwafutuj-rivinugesogezu.pdf
- http://twosistersdips.com/uploads/1/3/0/5/130588773/vopotud-reresugax-tokej.pdf
- http://alexandramulholland.com/uploads/1/3/0/6/130621285/6194444.pdf
- http://www.commonwealthgardencenter.com/uploads/1/3/0/2/130287495/0372ad26171ec9.pdf
- http://www.sandiegoftc.org/uploads/1/3/0/5/130588151/kakogogajazubo.pdf
- http://alixxpartners.com/uploads/1/3/0/5/130541356/7737540.pdf
- http://www.eatjook.com/uploads/1/3/0/4/130489185/jotimavu_fupunalelokur.pdf
- http://sequoia-hc.com/uploads/1/3/0/5/130547078/4178136.pdf
- http://bcaesthetics.com/uploads/1/3/0/5/130589095/temilomixupugex.pdf
- http://host43.carmichaelnl.com/uploads/1/3/0/5/130590778/130590778.html#lord+ayyappa+songs+in+tamil+pdf
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e93.binca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E93 | 16028 bytes |
font_01_sfnt_off0000853a.bin21ef703cf1559be1dcf4a4fc17e2b7c10699f0ef22d9b75c390cbd24d6ce1607 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x853A | 26720 bytes |
font_02_sfnt_off0000cc79.binbdbd5455d3df8f7fe30b24f92edf4c792266410b39888fe3370010fa7bb8f915 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCC79 | 6676 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.