MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a link farm pointing to numerous external PDF files, a common technique for SEO poisoning or distributing malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'SE_MFA_LURE' heuristic strongly suggest a phishing or credential harvesting attempt. The document body, though heavily obfuscated, contains references to 'Aadhaar card form download', indicating a lure related to official documents.
Heuristics 6
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
MFA / one-time-code harvesting lure high SE_MFA_LUREDocument asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://riciclometalli.it/uploads/1/3/0/7/130776325/manefa.pdf
- http://preview.cosmicaes.com/uploads/1/3/0/2/130291827/010cf97.pdf
- http://hostmaster.ddeckerandsons.com/uploads/1/3/0/8/130874059/ec9807c5f34.pdf
- http://mail.blackdoginstallations.com/uploads/1/3/1/0/131070166/335071990e8fa.pdf
- http://mtziongoshen.church/uploads/1/3/0/8/130814290/fevagemaru-lazirex.pdf
- http://dwellingplacecounseling.com/uploads/1/3/0/8/130813903/2fd587f53.pdf
- http://sekolahberpikirindonesia.com/uploads/1/3/0/2/130272080/sisitifewigij.pdf
- http://thepcgenie.co/uploads/1/3/0/6/130603858/7371765.pdf
- http://mta-sts.chsnjrotc.org/uploads/1/3/0/7/130775025/diremepupulut_venezukikesufol.pdf
- http://broadbybias.com/uploads/1/3/0/7/130775545/ratadol.pdf
- http://www.mytexaswildlife.org/uploads/1/3/0/4/130483230/b4a2110e.pdf
- http://www.phatbottomspray.com/uploads/1/3/0/6/130621068/5495895.pdf
- http://classroomsinthekitchen.com/uploads/1/3/0/8/130813417/mumizesojejesu.pdf
- http://74-123-77-52.mgwnet.com/uploads/1/3/0/7/130776734/130776734.html#aadhaar+card+form+download+in+pdf
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003849.bin32b54217619f9438721b423dc2f4f4da0f78781b0811ea49af2be6b0310ecf56 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3849 | 16164 bytes |
font_01_sfnt_off00004d0f.bind907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4D0F | 2616 bytes |
font_02_sfnt_off000058ca.bina1b0f020d961122533d97fc4da17f0bb039317a313f360df92b376549666e381 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x58CA | 7856 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.