Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b7cb14dd3fca83e…

MALICIOUS

PDF

34.0 KB Authoring application: PDF Studio
MD5: 9d1942e9f3f486442db372e810052d9f SHA-1: 0f3ed8d00e4ea813d5e000614ac87d040133a71e SHA-256: 1b7cb14dd3fca83e9268e9cab701fbfc447430e749b7159439279c8c70db5e50
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a large number of external links, characteristic of SEO spam or phishing campaigns. The 'SE_MFA_LURE' heuristic indicates the document's content is designed to trick users into providing sensitive information like one-time codes or MFA approvals, consistent with credential harvesting. The ClamAV detection further confirms its malicious nature as 'Pdf.Phishing.TtraffRobotInstall'. The embedded URLs likely lead to further stages of the attack or phishing pages.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ndrealtyllc.net/uploads/1/3/0/5/130589090/78fea3ad.pdf
    • http://jasongerstenkorn.net/uploads/1/3/0/2/130270996/3985931.pdf
    • http://oahphx.com/uploads/1/3/0/4/130477351/nowanaxufipotexedavo.pdf
    • http://www.fornationalpolice.org/uploads/1/3/0/5/130542729/7928232.pdf
    • http://www.austinhandyman.net/uploads/1/3/0/6/130639162/6135395.pdf
    • http://justiceanddignity.org/uploads/1/3/0/4/130477026/vuxubat.pdf
    • http://mspistone.com/uploads/1/3/0/3/130323727/muwevupoguvir.pdf
    • http://www.montril.com/uploads/1/3/0/6/130604799/mobopejonojef_vorosis.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/6/130603850/9db00b.pdf
    • http://thomsonhay.com.au/uploads/1/3/0/5/130588599/9950696.pdf
    • http://naturallifearchive.org/uploads/1/3/0/2/130270974/4143194.pdf
    • http://macgavin.com/uploads/1/3/0/6/130621649/daxefulajaka.pdf
    • http://mta-sts.mail.completeusability.com/uploads/1/3/0/6/130639781/dofulawobisu.pdf
    • http://host17.carmichaelnl.com/uploads/1/3/0/7/130739251/130739251.html#nsp+form+2019-20

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002a20.bin
32167fd065a44bfd3789857bdecfde7f2bcf0d30c9168290c5e08f03489f2ba0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A20 8528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.