MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a large number of external links, indicative of a link farm or phishing lure. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious download campaign. The embedded URLs are likely part of this distribution mechanism.
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://preethiajay.com/uploads/1/3/0/7/130739220/pifutizimikifotux.pdf
- http://petfolder.net/uploads/1/3/0/7/130740205/6889376.pdf
- http://ashleynixon.com/uploads/1/3/0/6/130620898/324b460369b.pdf
- http://thepredictor.co/uploads/1/3/0/6/130639762/ad6c04f7eae612f.pdf
- http://hostmaster.bellalunaconsignment.com/uploads/1/3/0/4/130436513/pavetigulij_niwad_lowenepov_rusuvu.pdf
- http://themathbutler.com/uploads/1/3/0/5/130588773/27caa.pdf
- http://afp-mn.com/uploads/1/3/0/3/130323213/8a3c8f375f7f1.pdf
- http://risearise.com/uploads/1/3/0/8/130873937/xuxipabi.pdf
- http://randomlyincoherent.com/uploads/1/3/0/6/130639409/doliwabago.pdf
- http://coresolutionsllc.org/uploads/1/3/0/5/130544318/95afee464a68be.pdf
- http://dynamiccreditcoaching.com/uploads/1/3/0/6/130604243/7820ac5c4f.pdf
- http://norcalactive.org/uploads/1/3/0/7/130775800/webuzudemuf-vararotek-vovol.pdf
- http://tomigami.com/uploads/1/3/0/6/130604377/tosekenuvodotedepim.pdf
- http://rgoreymedia.com/uploads/1/3/0/4/130436188/843b68add30f.pdf
- http://mail.happymamawellness.com/uploads/1/3/0/7/130739039/bipadomu_dukebo.pdf
- http://dishart.org.uk/uploads/1/3/0/4/130483325/zemodipebufij.pdf
- http://www.2019artfinalregan.com/uploads/1/3/0/8/130873737/4a11af1ba4a204.pdf
- http://robyntapley.com/uploads/1/3/0/8/130873927/6628407.pdf
- http://enchantedplayhouse.net/uploads/1/3/0/5/130541837/5719420.pdf
- http://simplylavishskin.com/uploads/1/3/0/6/130621597/duvefobexuferu.pdf
- http://relevitate.com/uploads/1/3/0/4/130478438/zodogekinube.pdf
- http://lfsystemsllc.com/uploads/1/3/0/7/130738881/sakek.pdf
- http://chelseafitnessnyc.com/uploads/1/3/0/2/130272516/8130676.pdf
- http://missmenot.online/uploads/1/3/0/2/130271051/kizodora.pdf
- http://beautyinyouhairsupply.com/uploads/1/3/0/4/130489275/75d5fafb87.pdf
- http://x0540936xstreamtravel.xsideas.com/uploads/1/3/0/8/130814680/130814680.html#adobe+photoshop+cs6+study+guide+pdf
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000012de.bin442c3cb07765299ff4c7b31be23d0ea150f272ba45f8da04b6957e6fe6388224 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12DE | 8000 bytes |
font_01_sfnt_off00008f96.bin41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F96 | 2600 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.