MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, aligning with the 'Pdf.Phishing.TtraffRobotInstall' signature.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://horncomb.com/uploads/1/3/0/2/130272616/nemutujuv-zujakupodajoze-faseloroxin-xaruxipilewake.pdf
- http://theluxeworld.com/uploads/1/3/0/6/130604487/razuz-juzokume-kemolozositaw-tamodomuxasek.pdf
- http://www.thesportschampishere.com/uploads/1/3/0/7/130776150/jujolefoze-puriv-buvun-favewuloxi.pdf
- http://www.soundanddoctrine.com/uploads/1/3/0/7/130775743/eaeb763067e5.pdf
- http://lattaconsultants.com/uploads/1/3/0/5/130590663/837cc67cd730f55.pdf
- http://attorneze.com/uploads/1/3/0/5/130542937/c36b6.pdf
- http://vilven.com/uploads/1/3/0/6/130605405/6144595.pdf
- http://ampersandcurated.com/uploads/1/3/0/6/130640236/da877ae3011351d.pdf
- http://www.campbellengineeringconsultants.com/uploads/1/3/0/2/130292148/bajixikadokudufiw.pdf
- http://veidoo.org/uploads/1/3/0/6/130603789/461b5523f573d6.pdf
- http://columbiacms.org/uploads/1/3/0/5/130540021/8317679.pdf
- http://fandomaf.com/uploads/1/3/0/7/130739141/kerokijupulapix.pdf
- http://leatherandlacecandles.com/uploads/1/3/0/6/130604140/tupupexevidedutumudi.pdf
- http://nirvanastorage.net/uploads/1/3/0/4/130435716/18f5d.pdf
- http://preludetoaction.com/uploads/1/3/0/4/130492771/vejovotigazimaxojok.pdf
- http://christmasinchilhowie.com/uploads/1/3/0/2/130289225/3539009.pdf
- http://mumefarm.com/uploads/1/3/0/7/130739712/fupas.pdf
- http://mindbody-solutions.net/uploads/1/3/0/6/130639476/4539293.pdf
- http://travelplunger.com/uploads/1/3/0/6/130603922/861e80eff6.pdf
- http://kazanamaz.net/uploads/1/3/0/5/130541065/ninipatojunomir.pdf
- http://truhardwarewestlock.com/uploads/1/3/0/8/130814235/1dcba1.pdf
- http://74-123-73-219.mgwnet.com/uploads/1/3/0/6/130639454/130639454.html#ascii+characters+for+check+mark
- https://savannah.gnu.org/projects/freefont/
- http://www.gnu.org/licenses/
- http://www.gnu.org/copyleft/gpl.html
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000032b5.bin75aadc8075978cba066472413c2758b77cde210a9586c65dde8272286d60cffb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32B5 | 1816 bytes |
font_01_sfnt_off00003b04.bin5278024270de67705d3a5034a26ce2f5e1d9e53f50705cc770b2190155f81e7b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3B04 | 6728 bytes |
font_02_sfnt_off00004b70.bine8b1834749b510479b18d35de1e5c3a9660f5a1610dd4089dc9f3569b9146093 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B70 | 16416 bytes |
font_03_sfnt_off00006483.binf9cb9804af26b24261295787cf3732632f0445f6c1e843124d9d763485687bfd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6483 | 8376 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.