Malicious PDF — malware analysis report

Static analysis result for SHA-256 335bc865eaf25564…

MALICIOUS

PDF

46.6 KB Authoring application: PDFBox
MD5: 235f4a9211f8207a7d1df686a79d4f5d SHA-1: 02ddcf17b6d943c0223b40e832351f8e1ab69302 SHA-256: 335bc865eaf25564371fe9969a439b90ada46d20aaeafe259302a0e0e9587bda
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO manipulation or to distribute further malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The document body text is heavily corrupted and does not provide clear user-facing lures.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://comicatcreations.com/uploads/1/3/0/4/130488370/dazezatosujife.pdf
    • http://www.longacrefoods.com/uploads/1/3/0/6/130621610/mupavigiri.pdf
    • http://vitality-mens-health.com/uploads/1/3/0/7/130776823/8cf04447a5.pdf
    • http://autoshredder.net/uploads/1/3/0/7/130775232/lepat.pdf
    • http://preshilmyparts.com/uploads/1/3/0/7/130775014/9781412.pdf
    • http://newbethelrolesville.com/uploads/1/3/0/6/130604061/4224072.pdf
    • http://romehighnews.info/uploads/1/3/0/6/130603982/9121aa.pdf
    • http://connoredel.com/uploads/1/3/0/3/130323761/99bd713.pdf
    • http://overthetoprentals.com/uploads/1/3/0/6/130603983/7289370.pdf
    • http://newenglandcapitalmarkets.com/uploads/1/3/0/4/130483804/8316763.pdf
    • http://www.anuradhakowtha.com/uploads/1/3/0/2/130291030/2295137.pdf
    • http://resources.zapter.io/uploads/1/3/0/6/130639653/8100640.pdf
    • http://rethreadclothingco.com/uploads/1/3/0/8/130814355/278441.pdf
    • http://adimef.com/uploads/1/3/0/7/130740462/vepuwopufuko.pdf
    • http://mpassociatesrealtors.com/uploads/1/3/0/2/130289668/6040490.pdf
    • http://photog.fun/uploads/1/3/0/4/130475883/f314b6622686.pdf
    • http://www.afawifc.org/uploads/1/3/0/8/130873850/6cd1dcd.pdf
    • http://moonmeart.com/uploads/1/3/0/7/130776402/59bcf09cb2.pdf
    • http://imaginaryrats.com/uploads/1/3/0/4/130489898/ragixax.pdf
    • http://kimleephotography.net/uploads/1/3/0/6/130604833/pasali-wuzigisip.pdf
    • http://www.century21realtysolutions.com/uploads/1/3/0/6/130604312/9b2f12c784.pdf
    • http://theleawoodfamilydentist.com/uploads/1/3/0/5/130588951/130588951.html#excel+advanced+filter+does+not+equal+blank

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004765.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4765 1708 bytes
font_01_sfnt_off000052e6.bin
99e8b117dd41e4da6e036124e4248a2b6c25556e252cb643d879be4eae65a02d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52E6 8984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.