MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains an embedded JavaScript stream and a large number of external links, indicating a link farm designed to redirect users to malicious content. The ClamAV detection and the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggest this PDF is part of a phishing or malware distribution campaign. The primary attack pattern involves leveraging the embedded JavaScript to facilitate the download of further malicious PDFs from the numerous linked domains.
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xexuzaro.cputik.ru/uploads/2020/01/27/f2a2d69cad0.pdf
- http://kopo.valekor.ru/uploads/2020/01/27/rekaru_bidodulikokakip_bojafitiv_besunokaludi.pdf
- http://edensvegancafe.com/uploads/1/3/0/4/130491594/ladamunatepemada.pdf
- https://gorukoxizos.weebly.com/uploads/1/3/0/4/130483153/9927817.pdf
- http://holdenshouseco.com/uploads/1/3/0/3/130323329/257709.pdf
- http://adaptingbrains.com/uploads/1/3/0/2/130271234/jogokipit.pdf
- https://ravexiberoder.weebly.com/uploads/1/3/0/5/130550772/eb63a9752a1.pdf
- http://xejojano.oracul.pro/uploads/2020/01/28/c5bd9bb0c13de5.pdf
- http://tawir.onlinecertificate.ru/uploads/2020/01/28/4334394.pdf
- http://woundedwarriorpokerrun.com/uploads/1/3/0/2/130272548/3141268.pdf
- http://remont136.ru/uploads/2020/01/27/gojowawital_vipelixujoniweb_fosaregexajemu.pdf
- http://fob.1amulet.ru/uploads/2020/01/28/b04d3d7571f8d.pdf
- http://negocioscontra.com/uploads/1/3/0/6/130604516/mokema.pdf
- http://teamredangus.com/uploads/1/3/0/6/130621385/33e151397.pdf
- http://debisimons.weebly.com/uploads/1/3/0/3/130313784/geniziraxa-vurufogiveredu-bavumisawavoz-gugufexelake.pdf
- http://wonderlandmarketing.com/uploads/1/3/0/5/130588461/gogenajojujigare.pdf
- http://dentureservicecanada.ca/uploads/1/3/0/5/130539403/woraj-gevoj-rixokosiz-naworejiv.pdf
- https://norijenalat.weebly.com/uploads/1/3/0/3/130313603/105bf2.pdf
- https://bofedowonag.weebly.com/uploads/1/3/0/5/130550848/e508e3f.pdf
- http://novaoraldesigns.com/uploads/1/3/0/6/130620793/491840.pdf
- http://mossellsworth.com/uploads/1/3/0/2/130291499/fenalarebamupef_refalitobolo.pdf
- http://nsmagix.com/uploads/2020/01/27/0cbf22.pdf
- http://loxelybeauty360.org/uploads/1/3/0/2/130289653/sozixuvaregomep.pdf
- http://kdtuning.com/uploads/1/3/0/6/130620431/rojoju_kakogedixow_mufawewebotulub_kepitozu.pdf
- http://mychinesewatch.com/uploads/1/3/0/5/130538941/130538941.html#achilles+last+stand+tab+pdf
- http://kdtuning.com/uploads/1/3/0/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00001023.binc7ca53b21c41580cd65f0b96f11737ece78cf388b3c32620296081e21f4f0586 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1023 | 8824 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.