Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c4462348a05ba7c…

MALICIOUS

PDF

50.3 KB Authoring application: Solid Converter PDF
MD5: 71e1fe9ff299acd928093d594c208636 SHA-1: 123201562d1e5828d4e0c83ee7ca4c7f2d966413 SHA-256: 3c4462348a05ba7c082ee500cec5e0d14d9215dd6b69a69dfdfcb631367de194
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded URLs, indicating a potential link farm or phishing lure. The heuristic PDF_SEO_LINK_FARM specifically flagged the mass of external PDF links, with the dominant host being midcoteaparty.com. This suggests the document is designed to redirect users to malicious content or to manipulate search engine results.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://midcoteaparty.com/uploads/1/3/0/6/130621479/mirabafewoxiroz-solel-zutoguda.pdf
    • http://vekeb.imperium.bz/uploads/2020/01/28/nobud_rotexowofokuse.pdf
    • http://ndlobmac.com/uploads/1/3/0/5/130539102/6399aa62a1.pdf
    • http://slatefarmsnc.com/uploads/1/3/0/5/130551222/2791812.pdf
    • http://bellovaporizer.com/uploads/1/3/0/5/130551576/fozopesalaton.pdf
    • http://allthingsanalogue.weebly.com/uploads/1/3/0/6/130621279/5290fe8.pdf
    • http://dpcontainers.net/uploads/1/3/0/5/130551880/7976118.pdf
    • http://mybrokersells.net/uploads/1/3/0/6/130640095/taveluz_noperigodoti.pdf
    • http://themoneylifejuggle.com/uploads/1/3/0/4/130483239/a113664.pdf
    • http://closinggoals.com/uploads/1/3/0/5/130550783/9273804.pdf
    • http://mobilemuttsrescue.com/uploads/1/3/0/2/130289334/4397080.pdf
    • http://bernardobellostudio.com/uploads/1/3/0/7/130740556/130740556.html#austin+tx+police+department+accident+reports

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012cf.bin
dc9925f3e1d7e33d02d034ae10aac4c4682e4b8a09d7bf1a6e602a4385523092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12CF 8540 bytes
font_01_sfnt_off00007006.bin
062abeeb0630068c9ebda4cd69880ba7d22c023ef851e82e77d1a768bfa0705b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7006 17648 bytes
font_02_sfnt_off000089c2.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89C2 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.