PDF malware analysis — malicious · 311ae61cd7811738

MALICIOUS

PDF

45.6 KB Authoring application: Solid Converter PDF

MD5: 86e4a1767ece3158c8df69b6d7f18529 SHA-1: 8a73e7b6bfc30a488084b73b3732654831a9665d SHA-256: 311ae61cd78117388a75f2eaa7f88936276cfc182e0176b0d08d38b93534e45a

200 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1059.001 PowerShell

The PDF file contains a mass external link farm, with many links pointing to other PDF files. The document body instructs the user to copy and paste content into a shell, a common social engineering tactic (ClickFix) to bypass macro restrictions and execute malicious commands. This suggests the document is a lure to download and execute a second-stage payload. ClamAV detection further supports its malicious nature.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://atlasmountaineering.co.uk/uploads/1/3/0/6/130621213/jupewemumi.pdf
- http://thewardrobesquad.com/uploads/1/3/0/4/130483514/vidadig.pdf
- http://collaborativepracticewashington.org/uploads/1/3/0/5/130539231/viwaseli.pdf
- http://dianehunterart.com/uploads/1/3/0/4/130489933/6d376dd321.pdf
- http://whittierboulevard.com/uploads/1/3/0/6/130620971/bbd2f7d946920.pdf
- http://chloehorie.com/uploads/1/3/0/9/130969878/sedasawupogopaxaw.pdf
- http://dalal.la/uploads/1/3/0/7/130740624/fazitaveju.pdf
- http://ifyousuffer.com/uploads/1/3/0/5/130590724/3830882.pdf
- http://twentiesandconfused.com/uploads/1/3/0/4/130477026/99bc871b231fd4.pdf
- http://www.jameshaarsma.net/uploads/1/3/0/7/130775278/5305510.pdf
- http://robthestore.com/uploads/1/3/0/2/130289681/dugenopu_sosaxotunoba.pdf
- http://jinshazongheyulecheng.br3h.com/uploads/1/3/0/5/130543310/makok.pdf
- http://parea.co.uk/uploads/1/3/0/4/130475965/gobumitiberap-logigesiwoweton-dafusur.pdf
- http://applepickndays.com/uploads/1/3/0/7/130776646/44667a56.pdf
- http://unhappycamperstudios.com/uploads/1/3/0/2/130287529/fusujupugaw.pdf
- http://midcoastconsult.com/uploads/1/3/0/7/130776425/siziw.pdf
- http://mydripconnect.com/uploads/1/3/0/7/130738638/e8b72f7.pdf
- http://bodyspiritfood.com/uploads/1/3/0/5/130540104/sananugowo_rotame_xajilakop_ripup.pdf
- http://meubnb.com/uploads/1/3/0/4/130488199/bc275649a09f7.pdf
- http://www.ashleykellysaxophone.com/uploads/1/3/0/5/130539344/4275cecf08c3.pdf
- http://musicroots.club/uploads/1/3/0/4/130489567/visunegifasomov.pdf
- http://portugueshotelescumbreswb.devsite-1.com/uploads/1/3/0/8/130874403/130874403.html#how+to+change+text+color+in+facebook+comment+box

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005175.bin` `b0aec5447d931e287b0079f910851c150fdcd2412ce162fe35863053748eac3a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5175	8196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.