MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains a large number of external links, a technique often used for SEO spam or to distribute malicious payloads. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, with 'heatherdfulton.com' being a dominant host. The embedded URL 'http://adsl-63-204-18-38.benefitplans.org/uploads/1/3/0/6/130620822/130620822.html#bruce+springsteen+discography' also points to a potentially malicious resource. No scripts were extracted from this sample.
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://adsl-63-204-18-38.benefitplans.org/uploads/1/3/0/6/130620822/130620822.html#bruce+springsteen+discography
- http://heatherdfulton.com/uploads/1/3/0/7/130740442/debiketuf.pdf
- http://photos.joerussellphotos.com/uploads/1/3/0/9/130969565/75f06774a4a2.pdf
- http://creativehealthplan.co.uk/uploads/1/3/0/5/130547576/judekexetakaneti.pdf
- http://escortsclassifiednetwork.com/uploads/1/3/0/2/130270963/7762667.pdf
- http://www.sundreamjournal.com/uploads/1/3/0/6/130639540/3844599.pdf
- http://minacohospitality.com/uploads/1/3/0/3/130313480/2ff09.pdf
- http://200jobs.com/uploads/1/3/0/3/130323631/sasamivaxa_rozebadimaben_metafezosufer_bigemaxetanemex.pdf
- http://www.thatchwears.com/uploads/1/3/0/2/130273931/sekom.pdf
- http://happyvids.com/uploads/1/3/0/2/130272557/7468260.pdf
- http://www.charmiedrafke.com/uploads/1/3/0/2/130272582/6677572.pdf
- http://mta-sts.naturesthc.com/uploads/1/3/0/2/130272092/xagosesazebogon-lawolup-xerarusazirij-rodetekosi.pdf
- http://www.guap.biz/uploads/1/3/0/2/130272631/d2057.pdf
- http://adrasteiablaise.com/uploads/1/3/0/7/130774990/ronepukug-teduj-zofonadedu.pdf
- http://www.professionalseedresearch.com/uploads/1/3/0/7/130776249/mileledovi.pdf
- http://linda-schubert.com/uploads/1/3/0/6/130603922/8026252.pdf
- http://www.nauticalfilms.com/uploads/1/3/0/9/130969472/kuzodapozarepin-ziramax-jepojebukutana-tugeretabomiti.pdf
- http://ibuytravel.ca/uploads/1/3/0/6/130621349/c83678ca.pdf
- http://peake.design/uploads/1/3/0/6/130639446/4594793.pdf
- http://livingthelifefantastic.net/uploads/1/3/0/5/130550925/tugevazaranoranisi.pdf
- http://nastybritches.com/uploads/1/3/0/5/130545278/defogusoza-bogagoxarajuke-wavigebanod-bobuzoze.pdf
- http://www.guidebridgestation.co.uk/uploads/1/3/0/6/130605325/763b653196bc2c.pdf
- http://www.focalprojects.com/uploads/1/3/0/6/130604306/295448.pdf
- http://thebaldwinfamily.com/uploads/1/3/0/7/130776008/7573313.pdf
- http://piegroupe.com/uploads/1/3/0/8/130813381/8550589.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008d44.bin2b8d23426325fd7dbec2925bb70c2f9b677fae27134e8701f1d6011257bff8bd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8D44 | 7876 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.