Malicious PDF — malware analysis report

Static analysis result for SHA-256 54955330d264485e…

MALICIOUS

PDF

57.0 KB Authoring application: GIMP
MD5: 65c87049980833505c92aecfae0862cd SHA-1: 104f419ffe0f7ff0828d242522890d96d246bde2 SHA-256: 54955330d264485e12429208eaf469b007d95977521fe35bdbd6b3b0973be5eb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a significant number of embedded external links, indicative of a link farm or phishing campaign. The primary heuristic firing, PDF_SEO_LINK_FARM, confirms the presence of numerous external PDF links, suggesting an attempt to manipulate search engine results or redirect users to malicious content. The document body contains some of these URLs, further supporting this analysis.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thevisualpilgrim.weebly.com/uploads/1/3/0/5/130590168/luxugafazeme-lozejigimoze-ruzuniwalut-sivuxijafupelew.pdf
    • http://pqlpottery.com/uploads/1/3/0/5/130590654/tikigad.pdf
    • http://dartmouthmountaineering.org/uploads/1/3/0/8/130814459/bevuditoritexa_desujexizisomus_foligif_vilasefanipod.pdf
    • http://dianneloftus.com/uploads/1/3/0/6/130639814/ab7be3.pdf
    • http://bityeti.com/uploads/1/3/0/5/130588943/nafazosexisa_tuwagafuseleli_linefim.pdf
    • http://lovingvodka.com/uploads/1/3/0/6/130604642/vuzozuweju_budipaw_lajimis.pdf
    • http://3505brunell.net/uploads/1/3/0/4/130476605/ravifu.pdf
    • http://thevillagemiami.com/uploads/1/3/0/6/130604730/munuxetunamubavaj.pdf
    • http://wovizobuv.5w30.pro/uploads/2020/01/29/sotifimurowigilew.pdf
    • http://attunementservices.com/uploads/1/3/0/4/130483963/e880c9ee1487.pdf
    • http://93778645.nhd.weebly.com/uploads/1/3/0/6/130621801/kekesawupafavesip.pdf
    • http://chewoncakes.com/uploads/1/3/0/5/130540063/130540063.html#toefl+test+reading+questions

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001486.bin
a293a30620d4a85e75713b7b1da7183fb8ed02a8023e087f22803975e3eb1f6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1486 8780 bytes
font_01_sfnt_off0000a4fa.bin
9edc51b0ecaddb7c52e0498f181aabc5b6c653ed7fe1e7a0bb91979c5f9339ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4FA 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.