MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM', with the primary domain being 'conneracup.com'. This, combined with the 'SE_INVOICE_LURE' heuristic, suggests a phishing attempt where users are tricked into downloading further malicious content disguised as an invoice or payment confirmation. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and potential malware delivery nature of this file.
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://conneracup.com/uploads/1/3/0/9/130969446/tipagizamiz-gugat-fofelozekuse-makulasewafotu.pdf
- http://webmail.fujifilmreviews.com/uploads/1/3/0/2/130271226/pawefafatisa.pdf
- http://lenioffringa.nl/uploads/1/3/0/5/130544448/modosuma-paxok.pdf
- http://www.shirahstern.com/uploads/1/3/0/6/130639459/2646879.pdf
- http://tortugamobile.com/uploads/1/3/0/7/130739070/8816042.pdf
- http://www.killforeden.com/uploads/1/3/0/6/130603909/vinumukadixuw_goniz_wifitaburibexu.pdf
- http://getcached.com/uploads/1/3/0/7/130738831/1232295.pdf
- http://gaydisaster.net/uploads/1/3/0/5/130542902/55ed04f.pdf
- http://herbalforbloodpressure.com/uploads/1/3/0/7/130775504/7fa61d1658.pdf
- http://www.grisetti.it/uploads/1/3/0/5/130589429/4634014.pdf
- http://dgias.pl/uploads/1/3/0/2/130272903/misupeludugele-vatudi.pdf
- http://www.suly.com.au/uploads/1/3/0/6/130620268/pebitokavipokunux.pdf
- http://thelavenderdish.com/uploads/1/3/0/6/130621205/merip_ruzusodutegat_vezagaxosoze.pdf
- http://mvctk.com/uploads/1/3/0/7/130775627/811212.pdf
- http://epiphanrentals.com/uploads/1/3/0/4/130483271/4825589.pdf
- http://www.grannyfarkel.com/uploads/1/3/0/5/130551475/furan.pdf
- http://leemarksafety.co/uploads/1/3/0/6/130639868/e1b0230c15.pdf
- http://shaydanielleesthetics.com/uploads/1/3/0/4/130483770/ritotijurig-xovakuw.pdf
- http://joeysjoeyssugargliders.com/uploads/1/3/0/4/130488698/865fc6f03097da6.pdf
- http://www.youngwordsmiths.club/uploads/1/3/0/5/130588779/9c4e1a51e0.pdf
- http://www.orkneymatrix.co.uk/uploads/1/3/0/2/130271081/vuvulukimaretigumona.pdf
- http://jf1850.com/uploads/1/3/0/7/130739011/zotitu.pdf
- http://74-123-77-82.mgwnet.com/uploads/1/3/0/6/130603776/130603776.html#sage+simply+accounting+tutorial
- http://conneracup.com/uploads/1/3/0/9/130
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003384.binf31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3384 | 16204 bytes |
font_01_sfnt_off00004b6d.bin001cf86c0a0907d4e4e79a7282313a56564d787e3c698fe908fe275f60a1fb5c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B6D | 8056 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.