Malicious PDF — malware analysis report

Static analysis result for SHA-256 3045db64f90fd731…

MALICIOUS

PDF

61.8 KB Authoring application: Karbon
MD5: 96a3c846ae42d4d0f2a846415d43f141 SHA-1: 167075caa1937fa18e9839cc5559c0215ccf754e SHA-256: 3045db64f90fd7314ffdd32d05ce8a6ab75ee87a6e35f3d4989e5b638ea9c532
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall. Static analysis revealed a large number of embedded external links, indicating a link farm designed to direct users to potentially malicious content. The heuristic PDF_SEO_LINK_FARM specifically flags this behavior, suggesting the document's primary purpose is to act as a gateway to other sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tebutupaxeno.weebly.com/uploads/1/3/0/5/130551824/bezuvapolunalu-tedovefa.pdf
    • http://miseniorcenters.com/uploads/1/3/0/2/130272509/debawunanisud_nevusis_rezatefef_dumizalesul.pdf
    • http://wovuloz.napolka174.ru/uploads/2020/01/28/84bca.pdf
    • https://luzisepig.weebly.com/uploads/1/3/0/2/130272385/4b2cd.pdf
    • http://lizziehewittdance.com/uploads/1/3/0/5/130551994/712d92649f.pdf
    • https://likigapawizi.weebly.com/uploads/1/3/0/3/130313117/a14307f6ecd3ad.pdf
    • http://lhsmaths.com/uploads/1/3/0/4/130489475/1091763.pdf
    • http://chrisreidstudio.net/uploads/1/3/0/4/130435672/3531972.pdf
    • http://dobigowo.maliei.xyz/uploads/2020/01/28/4f985cf.pdf
    • http://bafabaton.shaurmoff.com/uploads/2020/01/27/74744.pdf
    • https://jusajelowekif.weebly.com/uploads/1/3/0/6/130605492/908c81616d.pdf
    • http://dfd.ru/uploads/2020/01/27/nujenanuvare-dapiramodapixe-bazegunozas.pdf
    • https://gotexezanuroga.weebly.com/uploads/1/3/0/6/130604148/fanusezaj.pdf
    • http://euvat.solutions/uploads/1/3/0/5/130540072/labov-zusafaweko-wediforipajese-kivorojofopupo.pdf
    • http://dishingitupgame.net/uploads/1/3/0/5/130538831/fijevovewupir_nizobozamesew.pdf
    • http://kesh-dev.com/uploads/2020/01/28/711476.pdf
    • https://sesezirit.weebly.com/uploads/1/3/0/5/130589279/c04c3d79429ce95.pdf
    • https://bidesidevopukus.weebly.com/uploads/1/3/0/3/130323616/dovozot.pdf
    • http://domeneys.com/uploads/1/3/0/5/130550985/kaposamuwoture_bavexasax_radavezoraz.pdf
    • http://jez.walkwork.info/uploads/2020/01/27/leraterobesuvi.pdf
    • http://caredynamicsfl.com/uploads/1/3/0/2/130289695/9795409.pdf
    • http://christalawrencedesign.com/uploads/1/3/0/2/130273610/130273610.html#%D9%85%D8%A7+%D9%87%D9%8A+%D8%A7%D9%84%D9%82%D9%86%D8%A7%D8%A9+hbo+%D8%B9%D9%84%D9%89+comcast+xfinity

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008ee1.bin
837f7f2ed4d29398cc98e858f7a3820644f6ee7d932e4a5814bdf7339e829fe9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8EE1 31100 bytes
font_00_sfnt_off000018e9.bin
6d65eddb8517c1e8e8f0d6fa6baf11e878a93b63fa1cf5ca4e911778f3799861		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18E9 8992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.