Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fbd7296c62d26c4…

MALICIOUS

PDF

35.8 KB Authoring application: Mobipocket Creator
MD5: bbf2de08204551af4f1b4e9b0fac44bc SHA-1: a884e27a866dcde215ed24abb4eea960b5bd216e SHA-256: 3fbd7296c62d26c4c25ea521820f38c6fd29872b3434e9622faa0ccddc402b00
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1204.001 Malicious File T1059.003 Windows Command Shell

This PDF file contains a large number of embedded links to other PDF files hosted on various domains, indicative of a link farm or phishing distribution network. The 'SE_CLICKFIX' heuristic suggests the document instructs users to press Win+R or paste commands, a common tactic to bypass macro restrictions and execute malicious payloads. The 'SE_CALLBACK_LURE' heuristic indicates a potential phone scam or tech support pretext. No scripts were extracted, but the combination of link farming and social engineering points to a phishing or malware delivery attempt.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://skinblood.com/uploads/1/3/0/5/130544385/3879053.pdf
    • http://lordoftheblock.com/uploads/1/3/0/6/130621458/1e533517fa6.pdf
    • http://ciairaincorporated.com/uploads/1/3/0/5/130539726/adc8a7a.pdf
    • http://bernicvintage.com/uploads/1/3/0/6/130621044/sawil.pdf
    • http://47secretstoayoungeryou.com/uploads/1/3/0/7/130738712/6f715be0dd.pdf
    • http://dlhp-solutions.com/uploads/1/3/0/7/130740169/mazez.pdf
    • http://siyairdrie.com/uploads/1/3/0/6/130603874/2659079.pdf
    • http://www.sifumyers.com/uploads/1/3/0/8/130813447/dfa0992692fc.pdf
    • http://diogenestheatercompany.com/uploads/1/3/0/4/130436236/8506380.pdf
    • http://www.foster-substain.com/uploads/1/3/0/5/130547450/6073739.pdf
    • http://sentinel.ai/uploads/1/3/0/5/130541656/3263378.pdf
    • http://mytraining.today/uploads/1/3/0/6/130603741/99c8a4966.pdf
    • http://thedevinediamonds.com/uploads/1/3/0/5/130550993/lobidononu.pdf
    • http://cloud.sentinel-air.com/uploads/1/3/0/6/130620892/130620892.html#outlook+imap+ost+file+location

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000339a.bin
9895a95b89b7196e4b4bc118478216cbbfa514969f842bfb7453dcbf50ff871f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x339A 7788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.