MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This strongly suggests a phishing or SEO manipulation attack, aiming to drive traffic to potentially malicious sites. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports this assessment. No scripts were extracted from this sample.
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://nazga.org/uploads/1/3/0/6/130620720/dirosape.pdf
- http://northlandquiltersguild.weebly.com/uploads/1/3/0/6/130621603/8144286.pdf
- http://900cahuenga.com/uploads/1/3/0/5/130589004/8921273.pdf
- https://xofupupivi.weebly.com/uploads/1/3/0/5/130588931/kexusewusubaje-kapopotaxako.pdf
- http://kissbotr.com/uploads/1/3/0/2/130274315/dinimenesogelim_zoxuj_kafemiwimoko_tofib.pdf
- http://xam.testim.tech/uploads/2020/01/28/riruke.pdf
- http://shogiforum.net/uploads/1/3/0/2/130273748/bopux_rofotaw.pdf
- http://stagedoorproof.com/uploads/1/3/0/6/130622041/6677112.pdf
- http://opalgeovision.com/uploads/1/3/0/5/130551463/ea14fd8.pdf
- http://precariouslypossible.net/uploads/1/3/0/3/130379243/bakibululizi_pakowel_vabiwawipusadug_lokijagusuloke.pdf
- http://newimagesfencing.com/uploads/1/3/0/5/130544118/1509341.pdf
- http://daveict.com/uploads/1/3/0/4/130436282/fewikawep.pdf
- http://nealeythere.weebly.com/uploads/1/3/0/5/130588845/8577127.pdf
- http://nigeriandwarfgoats-minslil1s.weebly.com/uploads/1/3/0/5/130541944/gelisaj.pdf
- http://kuv.businessget.ru/uploads/2020/01/28/suvekuridujokov_favubak_vanojo_kimafuzijutel.pdf
- http://drjeffbarone.com/uploads/1/3/0/5/130543837/e9c5697f78d.pdf
- http://senu.jnvyx.xyz/uploads/2020/01/29/givajogaxebeme-jopizozewebepim-ladojebagefimu-xawitugok.pdf
- http://suumc.com/uploads/1/3/0/6/130639607/8660708.pdf
- http://msb-art-integration.com/uploads/1/3/0/4/130435943/b4d465.pdf
- http://rire.tandr.ru/uploads/2020/01/28/9856339.pdf
- https://virofolefi.weebly.com/uploads/1/3/0/2/130291713/temuzavibimabakopoxa.pdf
- http://foro.ewrty.xyz/uploads/2020/01/29/kugobezi.pdf
- http://bygollycandlesnmore.com/uploads/1/3/0/4/130435637/zuxukewop.pdf
- http://betashocks.com/uploads/1/3/0/3/130312953/130312953.html#pokemon+rejuvenation+relationship+gu
- https://virofolefi.we
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000177d.bin8e726be55bb75b8e8c38a137160da31ed7747516cf7771c5e8436821fffcb763 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x177D | 8876 bytes |
font_01_sfnt_off00008496.bin9388a58babc0f7371ab8b22ddf63e987e79183136421922f1f0f7587c7ca8f0c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8496 | 3024 bytes |
font_02_sfnt_off00008e8c.bin78251bbbea8e2b33592f0a07b78fefd02946cf01f5f91bc0a8fd485a500c36e3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8E8C | 16100 bytes |
font_03_sfnt_off0000a2ed.binb8759e7c7d34fe5d9dd270544cf936da851edf2a293449b11895023a041eb4ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA2ED | 9328 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.