Malicious PDF — malware analysis report

Static analysis result for SHA-256 2515ea559bd08df4…

MALICIOUS

PDF

39.7 KB Authoring application: PDFBox
MD5: 1a884409662c4fe59a561dbf15785732 SHA-1: d1e4152d5435c66a1c4282d2ef2a8a3b5bd8228c SHA-256: 2515ea559bd08df4380bef978bb31a140da6b44f065ae56353f144b08bc39b44
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_CALLBACK_LURE' indicates the document body may contain deceptive text, such as a fake billing or security issue, to trick users into interacting with the malicious links. ClamAV detection further confirms its malicious nature as 'Pdf.Phishing.TtraffRobotInstall'. The primary intent appears to be directing users to potentially malicious websites through the numerous provided URLs.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crystalcatdesigns.com/uploads/1/3/0/5/130538833/1cb10dc1678acb0.pdf
    • http://weddingproct.com/uploads/1/3/0/6/130621846/felomofezo-tozuded.pdf
    • http://thefilmpunks.org/uploads/1/3/0/6/130640047/1437670.pdf
    • http://mushroomsnaturally.com/uploads/1/3/0/6/130604949/pexodofanebiru.pdf
    • http://stuccovenetiano.com/uploads/1/3/0/6/130621867/dde49331cb5.pdf
    • http://room2dream.net/uploads/1/3/0/6/130622104/bojumode.pdf
    • http://odinsolutionsintl.net/uploads/1/3/0/5/130588289/3cddaf9a4b2f25.pdf
    • http://cuberexpress.club/uploads/1/3/0/3/130323566/medetawozegaxudupoxa.pdf
    • http://buddyholly.org/uploads/1/3/0/5/130550742/simazub.pdf
    • http://talkupyouth.com/uploads/1/3/0/5/130545827/44aa09e0e.pdf
    • http://host244.carmichaelnl.com/uploads/1/3/0/8/130814283/130814283.html#bartop+arcade+for+sale

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004179.bin
599af4c70f68cf23eacfe17fcff749e1a9b59b0afead1e43504470dd02018bdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4179 9388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.