Malicious PDF — malware analysis report

Static analysis result for SHA-256 49dbaa9457c6f063…

MALICIOUS

PDF

36.3 KB Authoring application: Adobe PDF Library 9.0
MD5: 06ea4a954362b2bc84e513adb569c14b SHA-1: 97a003daf8cf68515981b3049928b97ac717dae0 SHA-256: 49dbaa9457c6f0637bae5ebbcca728e3faf82193d383ee37917ae99428460fae
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1566 Phishing T1566.002 Phishing: Spearphishing Attachment

The PDF contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document's content likely prompts the user to install a browser extension or update, which is a common social engineering tactic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious installation lure. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://edsoncustomcruisers.com/uploads/1/3/0/4/130436121/b2b7fadbe.pdf
    • http://heloisecrista.com/uploads/1/3/0/5/130589318/kozaluxu.pdf
    • http://sunsteellogistics.com/uploads/1/3/0/6/130621511/notumi_dajexurajajaf.pdf
    • http://collectivekick.com/uploads/1/3/0/6/130604531/327ce69645964c.pdf
    • http://davewalcott.com/uploads/1/3/0/6/130621446/5cf884fa329.pdf
    • http://admin.body-mind-soul.co.uk/uploads/1/3/0/6/130621162/996e0cb.pdf
    • http://elysiancreations.com.au/uploads/1/3/0/8/130813059/tirerog-talag.pdf
    • http://nashmir.net/uploads/1/3/0/6/130639739/ritipogo_bilesikaxo_batujemepape.pdf
    • http://www.greenbergpianola.com/uploads/1/3/0/6/130621708/jaranevosimasat.pdf
    • http://betterlifeusa.org/uploads/1/3/0/4/130479123/1ff2e1f6946a5cb.pdf
    • http://mid-americathermalimaging.com/uploads/1/3/0/4/130483576/mabubixosowub_dowok_petuzu_jipoda.pdf
    • http://uncle-nobody.com/uploads/1/3/0/7/130775974/1407483.pdf
    • http://mendocinorose.com/uploads/1/3/0/4/130475938/1024071.pdf
    • http://sixcreekscoaching.com/uploads/1/3/0/7/130776056/doximejeto.pdf
    • http://zdiagnostics.com/uploads/1/3/0/6/130604532/betimuxeko-xunovebezib.pdf
    • http://cajudgeselect.org/uploads/1/3/0/5/130550944/37526.pdf
    • http://canimpactinvest.com/uploads/1/3/0/2/130288379/tipojiw.pdf
    • http://choose2cruiseadventures.voyagerwebsites.com/uploads/1/3/0/9/130969185/130969185.html#jurat+with+affiant+statement

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030d5.bin
4407e2b8d6e26ed2ac798bc02401f56c99c2c3e36f5b83334479bca8a02695bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30D5 8008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.