MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0, and an ML classifier also flagged it with high confidence. The presence of embedded URLs and a heuristic for a download button suggests a phishing or social engineering attack aimed at tricking the user into downloading further malicious content. The document body contains numerous URLs, with http://catalinacourier.com/uploads/1/3/0/5/130588899/8288705e4e31.pdf being a prominent example.
Machine Learning
- Nyx PDF Classifier malicious score 0.9968
Heuristics 4
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://catalinacourier.com/uploads/1/3/0/5/130588899/8288705e4e31.pdf PDF link annotation
- http://tolux.tele-zvon.ru/uploads/2020/01/27/fukexazidowimufugor.pdfIn PDF document text
- http://friendsofgreenhillspark.com/uploads/1/3/0/3/130379101/rezapekonono_xekoxifivok_mugavikujudak_bobixu.pdfIn PDF document text
- http://mixbotanicals.com/uploads/1/3/0/6/130620240/tobevosabe.pdfIn PDF document text
- http://360degree.solutions/uploads/1/3/0/4/130483542/kirovazebovodob_lodolifoxuzux.pdfIn PDF document text
- http://dosunuk.javanotepad.com/uploads/2020/01/28/dovelesaxof.pdfIn PDF document text
- http://leoeandhyde.com/uploads/1/3/0/5/130588270/wopotofo.pdfIn PDF document text
- http://g-c-s.investments/uploads/2020/01/27/9644055.pdfIn PDF document text
- http://fastlistingmethod.com/uploads/2020/01/28/ziwelo-jakaxivip.pdfIn PDF document text
- http://gawixavew.best-of-world.ru/uploads/2020/01/27/2870534.pdfIn PDF document text
- http://web-bonus.xyz/uploads/2020/01/27/bokefutotuloguvugix.pdfIn PDF document text
- http://12ministries.org/uploads/1/3/0/3/130323342/fapanosaxexiveziwor.pdfIn PDF document text
- http://roadswetravel.net/uploads/1/3/0/6/130604002/xobeso.pdfIn PDF document text
- http://renenkay.com/uploads/1/3/0/2/130289746/02c840.pdfIn PDF document text
- http://vodor.winfilm.ru/uploads/2020/01/28/kejuduzosip.pdfIn PDF document text
- http://rickwilliamsinsurance.com/uploads/1/3/0/4/130483477/xulepituzepez_kevilivomali.pdfIn PDF document text
- http://christyhelps.com/uploads/1/3/0/4/130476700/dolobidumuzuwozet.pdfIn PDF document text
- http://friendsofsierravalley.net/uploads/1/3/0/2/130272988/253074.pdfIn PDF document text
- http://creepycreecher.com/uploads/1/3/0/6/130620490/130620490.html#keyboard+input+overlayIn PDF document text
- http://www.adobe.com/).NotoIn PDF document text
- http://www.google.com/get/noto/http://www.adobe.com/type/ThisIn PDF document text
- http://scripts.sil.org/OFLNotoIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000017a0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17A0 | 9944 bytes |
SHA-256: a85ae9d94936b71656470ed7e6ece8be3864298e4e14874a0e4004f988ea9d17 |
|||
font_01_sfnt_off0001f0a3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1F0A3 | 13752 bytes |
SHA-256: 88783587c53701d3f08ddcff60a8ef66cb0f9173be521bfcdf6807526e733d46 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.