Malicious PDF — malware analysis report

Static analysis result for SHA-256 30828cd25de07105…

MALICIOUS

PDF

49.7 KB Authoring application: PDF Studio
MD5: 898fc65447b63a71efc7a6e4be238253 SHA-1: b31fc4cf284e6e52db66ddf01213e57577b47ae9 SHA-256: 30828cd25de071056df77151a11de002935d5c6c3772520efa0eb5d730ed55dc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm heuristic, indicating it is designed to redirect users to multiple external URLs. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The embedded URLs, all pointing to similarly structured domains, are likely part of this malicious redirection scheme.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://consciousalism.com/uploads/1/3/0/2/130271113/31459.pdf
    • http://morganwaisner.com/uploads/1/3/0/7/130776174/1216434.pdf
    • http://eventsbyerrika.com/uploads/1/3/0/3/130379354/ac64b58c61c47.pdf
    • http://mylesjohnson.net/uploads/1/3/0/4/130483213/6900273.pdf
    • http://limousineinmillvalley.com/uploads/1/3/0/5/130588230/6326625.pdf
    • http://cashflowgrace.com/uploads/1/3/0/5/130551214/2899972.pdf
    • http://mediajusticehistoryproject.net/uploads/1/3/0/8/130813860/43fa614c651.pdf
    • http://comfibody.co.uk/uploads/1/3/0/7/130738615/weviba.pdf
    • http://ohsua.com/uploads/1/3/0/5/130590295/7665807.pdf
    • http://danceonproductions.com/uploads/1/3/0/3/130324044/lidokavofiwubu.pdf
    • http://faithbeyondfear.net/uploads/1/3/0/5/130588850/07b8c.pdf
    • http://shoetossers.com/uploads/1/3/0/3/130313156/legafokugusilar.pdf
    • http://mwmorriscreative.com/uploads/1/3/0/2/130274349/c3e08e51.pdf
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/0/4/130476688/8f8f9cf092ca862.pdf
    • http://www.mindshub.com/uploads/1/3/0/8/130874077/2921083.pdf
    • http://alma-leather.com/uploads/1/3/0/7/130776326/wulezaronuz.pdf
    • http://paigehathawaymedia.com/uploads/1/3/0/5/130546593/130546593.html#hindu+calendar+vikram+samvat+2049
    • http://eventsbyerrika.com/uploads/1/3/0/3/130379354/ac64b58c61c

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bec.bin
8843c959cb0d4c4a615cef5a9fdbd6607fbc4055057c238c96e47a1f98b869a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BEC 16488 bytes
font_01_sfnt_off0000655e.bin
ce670c559f767569efb2377642e0121fcd7aae7dac61abd3180c7e725590ee16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655E 9476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.