MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a mass external link farm, with 31 links pointing to various domains. This is a strong indicator of SEO manipulation or a phishing lure. The ClamAV detection and ML classifier further support its malicious nature. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine a more specific attack pattern beyond link distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://krhphotography.com/uploads/1/3/0/2/130289453/zabokegej.pdf
- http://1objektiv.virtus.hu/uploads/1/3/0/4/130491253/jariniliwugite.pdf
- http://meroveo-officedistribution.store/uploads/1/3/0/2/130291572/527792.pdf
- http://www.therunwaycoach.nl/uploads/1/3/0/2/130288551/furidedafidij-sawaj-bonokidexi-jumegomorozajew.pdf
- http://www.christopherwood.org/uploads/1/3/0/5/130588511/2899813.pdf
- http://trialsacademy.com.au/uploads/1/3/0/8/130874429/woleneto.pdf
- http://3gatewaycenter.com/uploads/1/3/0/7/130740217/lozela.pdf
- http://www.bermanlawpc.com/uploads/1/3/0/8/130813372/c710dd7.pdf
- http://casettedemo.com/uploads/1/3/0/6/130620519/vomiv.pdf
- http://purebark.com/uploads/1/3/0/4/130488476/9893284.pdf
- http://www.srca.co.uk/uploads/1/3/0/5/130589036/1460340.pdf
- http://feelgoodprice.com/uploads/1/3/0/2/130271219/nimevikadi_bumemixifabew.pdf
- http://actressmodelsuperstar.com/uploads/1/3/0/7/130738812/zisirazixifigimod.pdf
- http://billingsequestrian.com/uploads/1/3/0/6/130620719/7219504.pdf
- http://www.osorio-avocat.com/uploads/1/3/0/3/130323659/wijiguzuruwo_vumepofupo_wuraze_votejidaduju.pdf
- http://mapleleafmarketing.ca/uploads/1/3/0/4/130489253/sesuritigope-gosivagoxi.pdf
- http://stadiumpubgrille.com/uploads/1/3/0/2/130270790/ac9d845c43ef.pdf
- http://idcnyc.com/uploads/1/3/0/7/130776316/f2b2155f7c1133.pdf
- http://ashlanddetailing.com/uploads/1/3/0/7/130776132/be66bda.pdf
- http://katiegbryant.com/uploads/1/3/0/2/130270792/sofukoziro_vuduru.pdf
- http://insuranceexecutive.net/uploads/1/3/0/7/130775539/baberotawobu.pdf
- http://splinteredmindshirts.com/uploads/1/3/0/5/130551266/3d6061a.pdf
- http://jbheatonresearch.net/uploads/1/3/0/7/130739967/62e2044e3f2.pdf
- http://roaringnews.com/uploads/1/3/0/8/130874429/radutanotoze.pdf
- http://a1893059xstreamtravel.xsideas.com/uploads/1/3/0/8/130813332/130813332.html#gujarat+samachar+newspaper+ahmedabad+today
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004513.bina1dfedc2a05308503374a2409c94c0ed6c7696d1965b67032c4f236052733081 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4513 | 25716 bytes |
font_01_sfnt_off000082be.bine2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x82BE | 2652 bytes |
font_02_sfnt_off00008eaf.bin6fdb0cfb124f27136798df078baa2994f0ca20996749cce0b759968d5c670120 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8EAF | 8236 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.