MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a large number of embedded URLs pointing to external PDF files hosted on various domains. This pattern is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly support this assessment. While no scripts were extracted, the sheer volume of external links suggests a malicious intent to redirect the user.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kempnermethodist.org/uploads/1/3/0/6/130639863/jobepuxemutorowonibu.pdf
- http://rayannashopeforafrica.com/uploads/1/3/0/7/130740255/b14f9897f.pdf
- http://motors-auto.com/uploads/1/3/0/7/130740062/zudisepin-situmososiv-limigor-jegilewa.pdf
- http://silk168.net/uploads/1/3/0/5/130551331/gimuti.pdf
- http://mywilshiremanning.com/uploads/1/3/0/6/130604804/4810106.pdf
- http://www.glassworx.info/uploads/1/3/0/7/130775109/372b588bc0226.pdf
- http://stickyearth.net/uploads/1/3/0/2/130291769/xifenizemavi.pdf
- http://facades-chaux-isolation.com/uploads/1/3/0/7/130776066/8ce06a478c493d.pdf
- http://jsmtutoring.com/uploads/1/3/0/5/130541624/dojez_ribesewovurujif_bodizifurex_mafapugap.pdf
- http://zaldivarvazquez.com/uploads/1/3/0/6/130621035/zedilojume-vomodokaze-pezowazaxufeja-sutukinid.pdf
- http://www.beyondexpertise.ph/uploads/1/3/0/4/130435988/dotakemox.pdf
- http://lorahakanson.com/uploads/1/3/0/6/130604556/9d26da.pdf
- http://host197.carmichaelnl.com/uploads/1/3/0/5/130539155/130539155.html#troponin+i+in+acute+myocardial+infarction
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00001666.bin945de70a68cf7368a16baf8959e58127629f68277625a58bad13fccfa247d329 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1666 | 10360 bytes |
font_01_sfnt_off0000e94f.binc048ac4ed90d63bfae46472f65f9cf6fc0bd5e75369f2d8f28771a6d96a2731c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE94F | 3156 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.