Malicious PDF — malware analysis report

Static analysis result for SHA-256 2eade48179e5813f…

MALICIOUS

PDF

35.3 KB Authoring application: Smallpdf Desktop
MD5: 7ecf418f0b10d61657cd47cbdc85ff0c SHA-1: da18cb4e2f0a49aa4596f158d13023d6a133bb27 SHA-256: 2eade48179e5813f75768df9641e647656a3f82f96503413deb95673148e7b63
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, each hosting a PDF file with a numeric or descriptive slug. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious intent, likely related to phishing or traffic redirection. The embedded URLs are the primary IOCs, suggesting a campaign focused on distributing or redirecting users to malicious content via these links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://damselfly.org/uploads/1/3/0/2/130289433/1033683.pdf
    • http://deluxefrenchfries.net/uploads/1/3/0/7/130740118/9963892.pdf
    • http://foundationalwellness.info/uploads/1/3/0/2/130289540/xetemenetuj_bukutapo_fegotosogavuxe_tirakaxojimeli.pdf
    • http://nooracademyonline.com/uploads/1/3/0/4/130488251/metavekesunoli.pdf
    • http://blackhatbakery.com/uploads/1/3/0/3/130379291/zigaz.pdf
    • http://barcelonaappartement.com/uploads/1/3/0/5/130588676/segugi-koxaxito-nipune.pdf
    • http://stevenzhang.com.au/uploads/1/3/0/5/130588999/radazezalug.pdf
    • http://newyorkcityspeechtherapy.com/uploads/1/3/0/2/130273987/diwak.pdf
    • http://messybeards.com/uploads/1/3/0/2/130287738/berum.pdf
    • http://nwbookpro.com/uploads/1/3/0/6/130604429/fekuniko.pdf
    • http://randiandmike.com/uploads/1/3/0/6/130639591/130639591.html#learn+to+fly+letra

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000128e.bin
f6dcb95ed733d0484d85366d0117079bce3212c56072d027652d12e9d3c111b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128E 8472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.