Malicious PDF — malware analysis report

Static analysis result for SHA-256 4810a7bd35bfb8aa…

MALICIOUS

PDF

67.8 KB Authoring application: pstoedit
MD5: 743eebff13197016cbaa671feafaea7c SHA-1: 2ed9a4235705dea5683c1670c6313ceb7f0c98f8 SHA-256: 4810a7bd35bfb8aaedc74661ea9a86fc27f88b2c98a8d12f466b8ce1bf6607c0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded URLs, forming a link farm. This strongly suggests the document is designed to lure users to external sites, likely for phishing or to download further malicious content. The presence of numerous, similarly structured URLs points towards an automated or mass-distribution campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.thatholisticgirllife.com/uploads/1/3/0/7/130738636/a9807.pdf
    • http://ottawamagnets.ca/uploads/1/3/0/6/130621501/13203ae13873.pdf
    • http://healthystartwebinar.com/uploads/1/3/0/2/130287295/sabirigat.pdf
    • http://sufistudies.org/uploads/1/3/0/6/130620486/lejosug_pojozin_wenunox_kalutib.pdf
    • http://citybestgroup.net/uploads/1/3/0/6/130604425/7226435.pdf
    • http://orencostation.org/uploads/1/3/0/5/130588437/sezurizugude.pdf
    • http://duojonssoncoudroy.com/uploads/1/3/0/8/130874586/51b4c.pdf
    • http://mobyzap.com/uploads/1/3/0/4/130483564/zadamodajudoxuligije.pdf
    • http://wakeforestfarmersmarket.com/uploads/1/3/0/5/130550869/kixizobixat_wogas_fogafuwuz.pdf
    • http://dogodogo.ru/uploads/1/3/0/2/130272339/modaxabarino-ripulojob-loxudi.pdf
    • http://kathymulcahy.com/uploads/1/3/0/4/130435684/627c7ea5f3179.pdf
    • http://misscamille.fr/uploads/1/3/0/2/130270790/woxitizevame-zasix-jugalenatukes.pdf
    • http://www.captainscutlawncare.com/uploads/1/3/0/7/130739582/nuzojiwo.pdf
    • http://www.charterdreamcatcher.com/uploads/1/3/0/6/130604218/3add0a70b55db1.pdf
    • http://www.svcarts.com/uploads/1/3/0/8/130873895/gurod.pdf
    • http://maltaglasscreations.com/uploads/1/3/0/8/130813373/takesupox.pdf
    • http://buckfinishes.com/uploads/1/3/0/5/130589399/5b71461b.pdf
    • http://soulsistersoaps.com/uploads/1/3/0/7/130776735/5078645.pdf
    • http://eqtna.com/uploads/1/3/0/4/130489230/7135097.pdf
    • http://www.trueadesign.com/uploads/1/3/0/7/130776321/38dfdec8e7.pdf
    • http://glebl.bpmtc.com/uploads/1/3/0/2/130289201/130289201.html#elastic+deformation+in+metals+mechanism

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015f1.bin
ef735da96bd4a55782dc61f09c4d7a684e8756dd683bf0abfd3c7dd24978be11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F1 8824 bytes
font_01_sfnt_off0000b7c6.bin
9becb1778febfac8f296ef1baff972437c35b41600f18c609027754ab721cdc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7C6 3084 bytes
font_02_sfnt_off0000c21b.bin
64d127ebb03444d5882d84dcd298ebf836cd5fac5ae27c70984091c9a4b5c441		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC21B 16212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.