Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a30078ae0d37d50…

MALICIOUS

PDF

45.8 KB Authoring application: Serif PagePlus
MD5: 431dbbe92315215a87236652076bb747 SHA-1: 45c41c5abb36c6a3c7ef0e5c7d36d80e2c46b611 SHA-256: 3a30078ae0d37d5014f28d1c8864429ba997f75f23fb8c4b7ff59cd269867607
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further confirms its malicious nature. The document body, though partially corrupted, suggests a lure related to quantitative aptitude tests, indicating a phishing or malware distribution attempt.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://afcitypark.com/uploads/1/3/0/7/130776147/jimesaxafo.pdf
    • http://thearchitecturalgardendigest.com/uploads/1/3/0/3/130323167/5667263.pdf
    • http://blackeneddeath.com/uploads/1/3/0/8/130873790/sewegovesidul.pdf
    • http://movingmedicineali.com/uploads/1/3/0/6/130640010/nikomozozejeto_gafaruvadep_juduvavawekeze_morikebomug.pdf
    • http://mta-sts.mail.atlintranet.com/uploads/1/3/0/6/130603860/2341998.pdf
    • http://www.paulsfavoritestuff.com/uploads/1/3/0/6/130640078/bepufu.pdf
    • http://www.mcnamarakenney.net/uploads/1/3/0/9/130969360/a12b4ae4.pdf
    • http://dallasclinicalpsychology.com/uploads/1/3/0/4/130483973/buvik_jolak.pdf
    • http://mycharlottedoulas.com/uploads/1/3/0/4/130488198/e65fbac63a66c17.pdf
    • http://nwacenterforstudentenrichment.com/uploads/1/3/0/6/130639611/vixufebejikurukareli.pdf
    • http://meshable.ca/uploads/1/3/0/7/130738769/6c0a0.pdf
    • http://ncve-taiwan.net/uploads/1/3/0/4/130493143/7527274.pdf
    • http://sugarpie.info/uploads/1/3/0/2/130289542/sodokofedepowakewol.pdf
    • http://sacredsantafe.org/uploads/1/3/0/7/130739571/6447831.pdf
    • http://nrv-ayurveda-foundation.org/uploads/1/3/0/5/130589163/6615d56.pdf
    • http://raveseplumbingadelaide.com.au/uploads/1/3/0/7/130775108/kexasekotuderu.pdf
    • http://luhome.me/uploads/1/3/0/5/130589384/tojuzideluv_lutiloxu_wesizadelolitug_bazip.pdf
    • http://tevaalliance.org/uploads/1/3/0/4/130492889/fakudadozeturi-sadenokade-gutizidapawis.pdf
    • http://baldwinairconditioning.com/uploads/1/3/0/5/130544147/zarefabibanativ.pdf
    • http://fergiebr.com/uploads/1/3/0/7/130740573/puzigososovova_wisutanemupuga.pdf
    • http://nyjincho.com/uploads/1/3/0/7/130738751/repiserelodebu.pdf
    • http://mole-man.co.uk/uploads/1/3/0/5/130550696/9493718.pdf
    • http://9mn3i.bpmtc.com/uploads/1/3/0/3/130323469/130323469.html#quantitative+aptitude+mock+test+pdf
    • http://dallasclinicalpsychology.com/uploads/1/3/0/4/130483973/buvik_jo

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040b4.bin
cfb3357b20fb01955c1e4a0ed568c791e3a97db8f0fbaa18432a833eaa1d19da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40B4 2828 bytes
font_01_sfnt_off00004d9e.bin
f8e356be324436dcb974ec4aef2576caa036badc4b42a4bf68f9c7b459c49da7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D9E 9236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.