MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a large number of external links, many of which are dynamically generated and point to unrelated domains, indicating a link farm. The document body text, though partially corrupted, mentions merging PDF files and includes a URL that also suggests a utility, likely a lure to encourage users to click on the embedded malicious links. The primary intent appears to be directing users to potentially malicious websites through a deceptive pretext.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bet365zhongwen.br3h.com/uploads/1/3/0/6/130620384/130620384.html#merge+pdf+files+online+for+free+combine+pdf+files+online
- http://pradeep.auditorycognition.org/uploads/1/3/0/6/130603942/lamidixujijanaju.pdf
- http://cococarinamk.com/uploads/1/3/0/5/130545097/2494757.pdf
- http://mountaincreekresortrentals.com/uploads/1/3/0/3/130379424/8c88619.pdf
- http://treeyoga.nl/uploads/1/3/0/6/130621134/topurefe.pdf
- http://oxfordsupertutors.com/uploads/1/3/0/3/130379218/migofibu-zixaze.pdf
- http://nylsremodelingcorp.net/uploads/1/3/0/6/130605118/5377c690f80a.pdf
- http://noboysbeauty.com/uploads/1/3/0/4/130476313/naveloz_sejefuwelodumoj.pdf
- http://akafe.net/uploads/1/3/0/3/130323750/6393414.pdf
- http://smartwood.us/uploads/1/3/0/6/130605438/moloduvinixat-fejoso-leratesafureni.pdf
- http://capscoating.com/uploads/1/3/0/8/130814909/bowijejavodap.pdf
- http://ramcatsc.com/uploads/1/3/0/5/130551468/1198453.pdf
- http://oracleblessings.com/uploads/1/3/0/6/130639775/57864.pdf
- http://preview.campcees.com/uploads/1/3/0/4/130489230/wigapatoj.pdf
- http://sophievmakeupartiste.com/uploads/1/3/0/5/130588940/godubojemokun.pdf
- http://eazifyus.com/uploads/1/3/0/6/130603860/folavawapikimo-musejuzebidizuj-diwukokowu.pdf
- http://anniesdiary.com/uploads/1/3/0/6/130620274/484652.pdf
- http://glamourlockssalon.com/uploads/1/3/0/5/130551191/totonulezit-xatofodoxoj.pdf
- http://jeffersonianconservatism.com/uploads/1/3/0/3/130313148/4563176.pdf
- http://zenpresentations.com/uploads/1/3/0/4/130490378/dikedunozates.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00008c41.binc1e176ed1dd118564529bcca135e9228292d49debe574cfd7f324a5a800ad932 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8C41 | 6424 bytes |
font_01_sfnt_off00009be9.bind1819a4b994bb0426fd23d43383ac12c4dd6cf90cc97b7098ea96be8929f1a9b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9BE9 | 7852 bytes |
font_02_sfnt_off0000ba78.bin45c39c4315a5d00962143d4102937301eb2649728d6de39b959633cfc30365c3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBA78 | 16144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.