Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a8c31042a03dcbf…

MALICIOUS

PDF

36.6 KB Authoring application: Smallpdf Desktop
MD5: 71d72da49a8141f0197ea071c7dd9dd9 SHA-1: 173915470a1551550efa9628d9b939efa84b34bc SHA-256: 1a8c31042a03dcbf473fea92dd01765850ed7472f5dac2cc0081f1a8a60a5cdb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports its malicious nature. The primary attack pattern involves directing users to a vast network of linked PDF documents, likely for SEO manipulation or to serve as a distribution point for further malicious activities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rollingdoorsny.org/uploads/1/3/0/3/130379549/fff325746e3.pdf
    • http://micahtwilson.com/uploads/1/3/0/6/130640181/7933445.pdf
    • http://www.yourworryfreehome.com/uploads/1/3/0/3/130312951/mafebanuwoduge.pdf
    • http://whiskeysurvivor.com/uploads/1/3/0/7/130740046/gazixewoporuxagu.pdf
    • http://fintoro.com/uploads/1/3/0/5/130550857/af9a84f65a64d.pdf
    • http://pirrellofamily.com/uploads/1/3/0/7/130775275/961c4b.pdf
    • http://www.sgskitchen.com/uploads/1/3/0/5/130588581/kukomef.pdf
    • http://bloemrx.com/uploads/1/3/0/5/130540592/962e31244992ed.pdf
    • http://alyssup.com/uploads/1/3/0/7/130775279/203c5.pdf
    • http://sdvisionfund.com/uploads/1/3/0/8/130814467/379fc316e.pdf
    • http://lynnpainters.com/uploads/1/3/0/6/130603955/xefavamuwokum.pdf
    • http://scommessasport.com/uploads/1/3/0/7/130740440/xabudorogak-jijop-wupiweganes.pdf
    • http://onesuggestion.net/uploads/1/3/0/7/130739007/zasuwexekakig_leperalagiwus_suked_votasopikerarak.pdf
    • http://teamworkprofile.com/uploads/1/3/0/4/130435622/9103714.pdf
    • http://meter-key.com/uploads/1/3/0/5/130590658/ba303.pdf
    • http://bethlehembaptistchurchsaginaw.com/uploads/1/3/0/2/130288720/xitejibeverugato.pdf
    • http://109river.com/uploads/1/3/0/8/130814339/4173824.pdf
    • http://spoletogreenfun.org/uploads/1/3/0/4/130483273/muwuwanegosu.pdf
    • http://bitcoinremittance.com/uploads/1/3/0/4/130435851/dde0b7ff208e191.pdf
    • http://nonreligiousspiritual.com/uploads/1/3/0/7/130776367/suvulotufefo_lezafol_leneget.pdf
    • http://www.hoonehooldus.com/uploads/1/3/0/5/130588850/359970.pdf
    • http://www.acproservicesglendaleaz.com/uploads/1/3/0/6/130639700/piluvus.pdf
    • http://mta-sts.tintacomunicaciones.cl/uploads/1/3/0/6/130621472/pimizopap.pdf
    • http://vacationsofdiscovery.voyagerwebsites.com/uploads/1/3/0/3/130312974/130312974.html#ppt+simple+past+tense+dan+present+perfect+tense

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e19.bin
4688f8d9336a5caf5ed8f74b0fa98a1ef3a22a75c336e3452a495a70763cd0f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E19 7232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.