Malicious PDF — malware analysis report

Static analysis result for SHA-256 3da979d19f6c97a2…

MALICIOUS

PDF

42.3 KB Authoring application: Karbon
MD5: 6492d71cee3603cb12b979c0db1002ca SHA-1: 1d7fbeacd57ab8a1b174552bba9794a668104190 SHA-256: 3da979d19f6c97a2a7f9ffa87e245e66986b80cd8d01297711c0a7ff892e6199
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather as a vehicle for the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://endeavorsystems.com/uploads/1/3/0/6/130640119/guvabajejiril.pdf
    • http://1beechbrewing.com/uploads/1/3/0/7/130776367/kazusir.pdf
    • http://mail.moreytennis.com.au/uploads/1/3/0/4/130483134/5724525.pdf
    • http://myacrepairorlando.com/uploads/1/3/0/7/130739856/moravew.pdf
    • http://www.assistivecareproducts.com/uploads/1/3/0/6/130639836/kibogipewulavi-newavop-ritejawixa-luvejebef.pdf
    • http://courtneysuzannelee.com/uploads/1/3/0/4/130488888/xukimamujipetizir.pdf
    • http://mattborn.net/uploads/1/3/0/2/130289669/3186160.pdf
    • http://midvalleycars.net/uploads/1/3/0/5/130588663/mubama-modaw-jozojoparajapar.pdf
    • http://nautiluschamber.com/uploads/1/3/0/7/130738777/giretekanene.pdf
    • http://rustykettle.com/uploads/1/3/0/2/130271078/698f274.pdf
    • http://artofburkinafaso.com/uploads/1/3/0/7/130776157/01400.pdf
    • http://autodiscover.jonerikrosenborg.no/uploads/1/3/0/8/130814347/femelezasotejax_jisezebaxuto.pdf
    • http://eemlak.shop/uploads/1/3/0/6/130621055/vavonajotedu.pdf
    • http://pansyandivy.com/uploads/1/3/0/4/130483402/polisomesex_desidowusixez.pdf
    • http://hostmaster.ellisensemble.com/uploads/1/3/0/6/130604168/4451478.pdf
    • http://digital-human.org/uploads/1/3/0/6/130604869/b0696d73a868b1f.pdf
    • http://assuredwildlifecontrol.com/uploads/1/3/0/7/130775674/8400822.pdf
    • http://neilcutting.com/uploads/1/3/0/4/130476276/duliwu_vepakizumifefo_redefekafel_xojaxi.pdf
    • http://crosswalkjewelry.com/uploads/1/3/0/2/130272275/d1d8c.pdf
    • http://internshipessentials.com/uploads/1/3/0/7/130776526/fupiduzi.pdf
    • http://challengebasedcoding.com/uploads/1/3/0/4/130477492/6dadec478.pdf
    • http://shuffledelements.com/uploads/1/3/0/6/130640194/169477.pdf
    • http://host72.carmichaelnl.com/uploads/1/3/0/5/130590538/130590538.html#post+gastric+bypass+plant+based+diet
    • http://mattborn.net/uplo

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043aa.bin
3cf078216e90e3f1c5b51e0c540e07b737b06b989cac174623bfa2a1c23a18b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43AA 8024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.