Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d3b15c7dfc433ed…

MALICIOUS

PDF

42.1 KB Authoring application: PDFBox
MD5: 4ddef039ad1e49749096c7dba51263d4 SHA-1: 9c8645043db3d8939284e8c91e3a3e3f61af69af SHA-256: 1d3b15c7dfc433ed8ec3a9cc33c2504222b9223755703471e87e563a29e97423
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a mass external link farm, with 9 of the 10 embedded URLs pointing to other PDF files. This is indicative of a SEO poisoning or link-farming attack. The presence of 'invoice' and 'payment' language, combined with a 'Click here to download' lure, suggests a phishing or scam attempt. ClamAV also detected this file as Pdf.Phishing.TtraffRobotInstall-7605656-0, further supporting a malicious classification.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://colormeribbons.com/uploads/1/3/0/5/130590371/konub-butiv.pdf
    • http://exoticbulliessale.com/uploads/1/3/0/5/130546457/riselexi.pdf
    • http://thezelinkareport.com/uploads/1/3/0/3/130323515/1431670.pdf
    • http://blackhillsbicycling.com/uploads/1/3/0/6/130621893/zegafuditusu_bazamikofizano_rofotitokidisot_bupanubetizoses.pdf
    • http://vizualpost.net/uploads/1/3/0/5/130589409/782904.pdf
    • http://carwashpumprepair.com/uploads/1/3/0/7/130739198/9963897.pdf
    • http://thepadremotel.com/uploads/1/3/0/6/130620668/3947285.pdf
    • http://analyticstitan.com/uploads/1/3/0/6/130620305/1306d.pdf
    • http://alexandriasday.com/uploads/1/3/0/2/130288707/jesonesazi.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/6/130620375/130620375.html#invoice+template+excel+a5

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011ec.bin
942ba8299a8447971c332827063049b4dd2a07c2be45fc31e4de4ba64a4b6f3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EC 7968 bytes
font_01_sfnt_off000069b3.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69B3 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.