Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b1cb48f9f490739…

MALICIOUS

PDF

32.9 KB Authoring application: Soda PDF
MD5: 181efe5bbd0e66dbd4a578568574aee5 SHA-1: cfe460eab268a1c301b4a370bb79079d0376577d SHA-256: 2b1cb48f9f4907390e259f3b6a743a542ca1cb283c63660ba9224cb74617bf19
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique commonly used in phishing campaigns to redirect users to malicious websites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malware distribution intent. The document body, though malformed, contains references to 'Autocad electrical 2017 tutorial for beginners pdf' and lists numerous URLs, reinforcing the lure to click on external content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mystarcleaner.com/uploads/1/3/0/5/130544043/12752187d2dc5e5.pdf
    • http://cathyhepworth.com/uploads/1/3/0/5/130545882/8124737.pdf
    • http://msllv.net/uploads/1/3/0/2/130292073/divodevurinuxit.pdf
    • http://dopeshoppingmadeeasy.com/uploads/1/3/0/6/130605280/bezetoriw.pdf
    • http://prescottrealestatereferrals.com/uploads/1/3/0/6/130621467/25ce8c45bd2cd.pdf
    • http://sofa.foodtrucksquare.com/uploads/2020/01/28/8193601.pdf
    • http://virtualassistant.shop/uploads/1/3/0/3/130312985/1967161.pdf
    • http://topcincinnatibeautysalontraining.com/uploads/1/3/0/2/130272613/8044759.pdf
    • http://pavanmehat.com/uploads/1/3/0/3/130379150/6628235.pdf
    • http://protechion.us/uploads/1/3/0/4/130436074/xefufifixir.pdf
    • http://mymvmtpods.com/uploads/1/3/0/6/130621740/refevibos.pdf
    • http://kpsmusik.com/uploads/1/3/0/5/130545800/130545800.html#autocad+electrical+2017+tutorial+for+beginners+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ae.bin
a870471481b6fe037891247e369f7be1f0bfa738d159504112f662a689baad98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AE 7808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.