Malicious PDF — malware analysis report

Heuristics 5

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
• Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
  PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
• Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
  PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://95.217.124.64/uploads/2020/01/29/2465121.pdf

  • http://pizixiz.droneportal.ru/uploads/2020/01/28/redise.pdf
  • http://onlinesecurityservice.site/uploads/1/3/0/5/130588702/6029702.pdf
  • http://zoberaja.magimafr.ovh/uploads/2020/01/28/6866558.pdf
  • http://barringtonmiddleschoolpto.com/uploads/1/3/0/7/130775983/vonunidagex.pdf
  • http://nicole-florio.com/uploads/1/3/0/2/130287211/130287211.html#website+untuk++film+bioskop+indonesia

Open this report in the interactive analyzer, or submit your own file for analysis.