MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a large number of embedded links to external PDF files hosted on various domains, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output further support its malicious nature. No scripts were extracted, but the primary attack pattern involves directing users to external resources.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://stripperbud.com/uploads/1/3/0/6/130621412/lovuxagalanezod.pdf
- https://fibutigojojox.weebly.com/uploads/1/3/0/2/130289611/6724900.pdf
- http://philmontcapital.com/uploads/1/3/0/6/130622077/2616019.pdf
- http://guratavis.party.su/uploads/2020/01/27/kimojupov_panetil_gapuz_mepomu.pdf
- https://nalizoxuvot.weebly.com/uploads/1/3/0/4/130489228/8109235.pdf
- http://noli.tzvetnielinzi.ru/uploads/2020/01/28/begadilulirugif.pdf
- http://thetracker.online/uploads/2020/01/28/mavefeji_jabivajed_gozoxumu.pdf
- http://nafox.audiostart03.icu/uploads/2020/01/28/gagazozukiv.pdf
- http://dosax.poste-tunisienne.com/uploads/2020/01/29/4510936.pdf
- http://varsitygreekstore.com/uploads/1/3/0/6/130620343/ecc099fc9d9c.pdf
- http://sekokutir.levina.info/uploads/2020/01/28/degaxumukefuxus.pdf
- https://vopajadebed.weebly.com/uploads/1/3/0/2/130272080/xabezefotefore_nanenurunuxewor_jurakas.pdf
- http://mek.photorobots.ru/uploads/2020/01/28/6710564.pdf
- http://zudir.windowscaner.ru/uploads/2020/01/27/fukirunavowe_nilitolum_jisogijubezena_gidonofuju.pdf
- http://brooklyncollegemfashowcase.com/uploads/1/3/0/5/130551086/8126462.pdf
- http://allthingsroe.com/uploads/1/3/0/2/130289774/311bf0.pdf
- http://dariguve.monplezir.su/uploads/2020/01/27/suwuxuzi.pdf
- http://jewu.ethereumcryptos.biz/uploads/2020/01/27/misipu.pdf
- https://xalotizem.weebly.com/uploads/1/3/0/5/130542971/9499416.pdf
- https://wabomikevoluriz.weebly.com/uploads/1/3/0/3/130379126/kimedi.pdf
- http://nef.mariaflights.com/uploads/2020/01/28/193262ce.pdf
- http://jdmcreative.com/uploads/1/3/0/5/130588497/fixumenuko-jufejeb.pdf
- http://100kakrd.ru/uploads/2020/01/27/6cafb4d.pdf
- http://aroma-piter.ru/uploads/2020/01/27/93541f8b564e38d.pdf
- http://santacruzishome.com/uploads/1/3/0/4/130476313/gumusumosat.pdf
- http://annotalegal.com/uploads/1/3/0/5/130588336/130588336.html#cisco+2960+x+poe+switch+datasheet
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000018d1.bin5dafc4f8c3dfd6217c723c8ac5463abc7e39b3cc197a4e8d212fae6520a53d16 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18D1 | 10252 bytes |
font_01_sfnt_off0000d0c6.bincb1c8cbf188b645d16f95c9c252f2ebc66d3fda19335e70e885de5089d495fe5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD0C6 | 2696 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.