Malicious PDF — malware analysis report

Static analysis result for SHA-256 39fcf3f4af9af14b…

MALICIOUS

PDF

35.4 KB Authoring application: Soda PDF
MD5: 66cdcf880adc385e33e34076875e49b3 SHA-1: b91437f5ef6386ddb14961c6c5744ad96245b72a SHA-256: 39fcf3f4af9af14b7b5605915d5989d810d97db7861c291e61bc1be1d4016d1a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution mechanism. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to phishing or traffic redirection. The document body contains garbled text and some seemingly legitimate phrases, but the primary malicious activity is driven by the embedded URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://movetoamendpdx.org/uploads/1/3/0/4/130436137/zemawikupotagam.pdf
    • http://northchannelnetwork.org/uploads/1/3/0/2/130289415/tufuto.pdf
    • http://vambeauty.com/uploads/1/3/0/8/130813762/813889e.pdf
    • http://wallbrosdrywallservices.com/uploads/1/3/0/6/130621261/08f02eb69.pdf
    • http://nuwavemusicgroup.com/uploads/1/3/0/4/130476403/papuriv.pdf
    • http://moggiethecat.com/uploads/1/3/0/4/130476185/mopunozo.pdf
    • http://autodiscover.hcbmusic.com/uploads/1/3/0/3/130379060/9071720.pdf
    • http://sdbau.shop/uploads/1/3/0/8/130813768/sozudo-daxefo.pdf
    • http://nutrition-doctor.co.uk/uploads/1/3/0/5/130551857/situresiparozix.pdf
    • http://msseven16.com/uploads/1/3/0/7/130776677/giwixijurufiku.pdf
    • http://stepupyourseo.com/uploads/1/3/0/4/130476320/b00a83db520f3.pdf
    • http://northshoreengineeringny.com/uploads/1/3/0/6/130603767/c5378.pdf
    • http://curanna.com/uploads/1/3/0/5/130589334/luxefuxivobo.pdf
    • http://host113.carmichaelnl.com/uploads/1/3/0/5/130551981/130551981.html#myope+astigmate+op%C3%A9ration+possible

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f97.bin
9e22123e4733322f628aade94bb8e581880a0372caa871748cb8feedf868cbfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F97 9612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.