Malicious PDF — malware analysis report

Static analysis result for SHA-256 3eaa9545d89007e0…

MALICIOUS

PDF

44.1 KB Authoring application: Solid Converter PDF
MD5: 5d0a831a0fe7c2e67054e6009170194b SHA-1: 3ca2df32ded4ef4ef311ea9434bcf57ac53475b5 SHA-256: 3eaa9545d89007e0bb0f230b9ce8efb83685df6559f62bcb044c5bd85c6f74dc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded URLs, forming a link farm. These URLs likely lead to phishing pages or further malware downloads, consistent with a traffic redirection or phishing campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wawibow.lilosshop.com/uploads/2020/01/28/1e9ade614f8dd.pdf
    • http://lifuw.tomatis-siberia.ru/uploads/2020/01/27/rinelemeponoxal.pdf
    • http://padijike.ethsmart.biz/uploads/2020/01/29/e096c1111ac.pdf
    • http://jitog.englishabakan.ru/uploads/2020/01/29/59031e4.pdf
    • http://blackforestcampingandaccessories.com/uploads/1/3/0/4/130476313/najisiton.pdf
    • http://lilkerisace.com/uploads/1/3/0/6/130604778/lorawajuwozepi.pdf
    • http://nebak.ginecologialeon.com/uploads/2020/01/28/cab9bd.pdf
    • http://detskiekovriki-parklon.ru/uploads/2020/01/29/5546370.pdf
    • http://kimberlybengals.com/uploads/1/3/0/2/130274154/wisosuxojuxon.pdf
    • http://bayareaspark.com/uploads/1/3/0/6/130620687/4910096.pdf
    • http://iriselainecottagebnb.com/uploads/1/3/0/6/130639868/vosakewolupubofewip.pdf
    • https://nenukebopasuve.weebly.com/uploads/1/3/0/5/130539035/7245734.pdf
    • http://tegavup.magimafr.ovh/uploads/2020/01/27/xoxedafulitokig.pdf
    • http://iotverticals.com/uploads/1/3/0/2/130271232/2097666.pdf
    • http://progressplacetest2.weebly.com/uploads/1/3/0/4/130488158/fituw.pdf
    • http://buretolem.best-prices.icu/uploads/2020/01/28/wivagotipisaz_liwedib.pdf
    • http://nidogo.privat-market.ru/uploads/2020/01/28/358715.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/2/130291803/130291803.html#examples+of+companies+using+activity+based+costing

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014c8.bin
129cf0081fe73c410518f5c00f1f6ebf3959effb3180dd49f9972f0ed7af06e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C8 7760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.