Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a0d89dec8af2316…

MALICIOUS

PDF

48.6 KB Authoring application: SWFTools
MD5: 96b0e3b7c0a4236fb1d9ee6dab7cef38 SHA-1: ae2f879c5768b85ae0180df8084d217f247f365f SHA-256: 1a0d89dec8af23162c12eeff4ea6dfa1322ab9697946e7e8cef4ca241d2c96f4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with multiple external URLs, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further indicates a phishing or malicious download attempt. The document body, though heavily obfuscated, contains references to 'download game java' and includes several of the external URLs, reinforcing the lure to download potentially malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://networkhearing.net/uploads/1/3/0/5/130550859/vurasajaluxa_jonitidop_vetibavuxu_sesaxamag.pdf
    • http://farmhub.online/uploads/1/3/0/5/130551256/zazokadesus.pdf
    • http://terrimcnaughtonphotography.weebly.com/uploads/1/3/0/6/130604287/e8c2133.pdf
    • http://seiterforjudge.com/uploads/1/3/0/3/130324044/1025787.pdf
    • http://moms-life.net/uploads/1/3/0/6/130621485/niwawarozofebut.pdf
    • http://microblading-amsterdam.com/uploads/1/3/0/6/130621076/dec80.pdf
    • http://misssoutheastpageantry.us/uploads/1/3/0/5/130543598/130543598.html#one+piece+java+games

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011c8.bin
158eaf1e952ef7f967c836743bc5ec5f5edf8badb156881f4ab48601ace20af2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C8 10192 bytes
font_01_sfnt_off0000634b.bin
9c78873e0e9633f43e056e742d27a1a99101d3ec4eca27c1acfda4ba00121c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x634B 4868 bytes
font_02_sfnt_off000072d9.bin
5de795b3210d50a263f881cfbae37c7daabdcaac5728e089afc0b5065b7fe962		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D9 18628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.