Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c7c26908c0cc4fc…

MALICIOUS

PDF

48.3 KB Authoring application: Mobipocket Creator
MD5: 691a809410617ca2c2ffecda9e50a336 SHA-1: 4a768ddc2113e9c6db0537d3b37233b7bbdca9c4 SHA-256: 3c7c26908c0cc4fc36bbce40994b64ddfa6a3886a45d98a29b66b98c2708a4db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for a link farm, containing numerous external URLs. This strongly suggests a phishing or malware distribution attempt, aiming to lure users to malicious sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this assessment. No scripts were extracted, but the sheer volume of linked domains points to a coordinated effort to redirect users.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zachpalmer24.com/uploads/1/3/0/6/130620267/dikisogif.pdf
    • http://myulrika.com/uploads/1/3/0/7/130776316/rasonepajarawu.pdf
    • http://drvdv.com/uploads/1/3/0/6/130620372/589763.pdf
    • http://stayinghome.nl/uploads/1/3/0/4/130489771/b89ae0.pdf
    • https://bexogadiwuru.weebly.com/uploads/1/3/0/4/130476010/ruviwatezuza_logeku.pdf
    • http://russianboutique.co.uk/uploads/1/3/0/3/130323182/12425e636fcb7.pdf
    • http://camryncs.com/uploads/1/3/0/6/130604336/nobakub-lagekubotozem-xibeboro-gujasiguzuxeka.pdf
    • http://morbegnoclassica.com/uploads/1/3/0/6/130605156/jifuraxabibumil.pdf
    • http://aeriali.net/uploads/1/3/0/6/130605269/702070f5b060a.pdf
    • http://trinkaus.services/uploads/1/3/0/6/130620429/1016864.pdf
    • http://damiandineen.com/uploads/1/3/0/2/130270887/130270887.html#arbitrage+pricing+theory+one-factor

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c3.bin
c6ea320b711d48ed4f0526e27b1b18127059f4e8d87ffdcf1810a1740b2748e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C3 8932 bytes
font_01_sfnt_off00006d1b.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D1B 2864 bytes
font_02_sfnt_off00007697.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7697 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.