Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a6be1be9140f3d1…

MALICIOUS

PDF

39.1 KB Authoring application: PDFBox
MD5: 768d6a8f09c1f380068a4ff97fe2b656 SHA-1: ec5c42a14e8f7594d3dd409fbf5fbbd773ca49e0 SHA-256: 3a6be1be9140f3d1eadd93f98b63ab7a2e4ab139a80a0868e62f5fa7259cae8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to phishing or traffic redirection. The embedded URLs are the primary indicators of compromise, suggesting a campaign to drive traffic to potentially malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moshetiptop.com/uploads/1/3/0/5/130538937/sabatudivalutukewo.pdf
    • http://minnesotahistorymuseums.org/uploads/1/3/0/5/130590291/54c2a01eaf3.pdf
    • http://srwebdeveloper.com/uploads/1/3/0/6/130604369/wuxop_batexule_fuxotefuzebuwe_sezajofixajo.pdf
    • http://nmswrites.com/uploads/1/3/0/4/130490399/1729728.pdf
    • http://consultantsbd.com/uploads/1/3/0/7/130775862/xabig-somen-bimojosebekuf-lugibabetuw.pdf
    • http://andres-historical.com/uploads/1/3/0/5/130590403/f5af705944296.pdf
    • http://fundysoftwaretemp.com/uploads/1/3/0/6/130639734/292186.pdf
    • http://erguvanmobilya.com/uploads/1/3/0/6/130639240/400bf029c8.pdf
    • http://ncmodern.com/uploads/1/3/0/6/130621654/sevaniji_texividebemevi_tebozil_ruxozupaxe.pdf
    • http://merkabawellness.com/uploads/1/3/0/4/130476778/1083302.pdf
    • http://joy-fully.net/uploads/1/3/0/6/130620859/maboxotu_movuxereki_xazuj.pdf
    • http://eaglehealthinsurance.com/uploads/1/3/0/2/130287934/garupazojagun_wowexifoxe.pdf
    • http://freeonlinereviews.com/uploads/1/3/0/6/130620772/xoxuvomu.pdf
    • http://dochotrod.com/uploads/1/3/0/5/130542775/b9cd826af193.pdf
    • http://delarosacreations.net/uploads/1/3/0/7/130740264/868bd2a4c6.pdf
    • http://allisonroman.com/uploads/1/3/0/8/130814559/4783019.pdf
    • http://234360060668842261.com/uploads/1/3/0/7/130740066/35c5815ffc8b45a.pdf
    • http://dragonridercomix.com/uploads/1/3/0/6/130639939/nutekolepukuda-bamuxifaw-xikawulin.pdf
    • http://fcayodemo.com/uploads/1/3/0/2/130289345/zoburewedox.pdf
    • http://lykaios.net/uploads/1/3/0/5/130539269/5c75b3.pdf
    • http://desatascosbarcelona.com/uploads/1/3/0/5/130551091/jotarusu.pdf
    • http://swcfamilyretreats.com/uploads/1/3/0/4/130489262/1962713.pdf
    • http://fairgood.org/uploads/1/3/0/3/130379362/7d2d7.pdf
    • http://questbusinesses.com/uploads/1/3/0/6/130639348/rowet.pdf
    • http://guanjunyulebaijiale.br3h.com/uploads/1/3/0/2/130288762/130288762.html#bipolar+junction+transistor+vs+fet
    • http://consultantsbd.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035dd.bin
2c304873cb11378826ba121aebca26e2cdec0fb18496d6cc663c719071f39ad6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35DD 7624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.