Malicious PDF — malware analysis report

Static analysis result for SHA-256 56a1ede8620f0bb6…

MALICIOUS

PDF

48.8 KB Authoring application: ImageMagick
MD5: 6040cc7babdbebaab5348067fb401e06 SHA-1: f847456253d51904dbede4783f1eef569252e4ee SHA-256: 56a1ede8620f0bb6fdd9faf7bdaf9a0de99261d7cd2a5d7704b5dffe68b318ec
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to external PDF files. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the presence of urgency and invoice lures further support a phishing or malicious redirection attack. The primary intent appears to be directing users to one of the numerous linked URLs, likely to download further malicious content or conduct credential harvesting.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vipiski-online32.icu/uploads/2020/01/29/2948101.pdf
    • http://121guide.com/uploads/1/3/0/5/130539373/5fdf896a8336a3.pdf
    • https://fexobisev.weebly.com/uploads/1/3/0/4/130490328/pibamitujusaxozaneva.pdf
    • http://connectatc.org/uploads/1/3/0/5/130588220/4925761.pdf
    • http://garydannenbaum.com/uploads/1/3/0/6/130604081/pefaj_wirudaxasepoke_lisopamofepa.pdf
    • https://zopalaloxajuxu.weebly.com/uploads/1/3/0/6/130604259/kavixowube-petegomamu-bipamutokibovot-wujanofosab.pdf
    • http://bfallard.com/uploads/1/3/0/6/130621890/5144541.pdf
    • http://tonygezzi.com/uploads/1/3/0/5/130588559/b4358ea6308f928.pdf
    • http://beautyh.pro/uploads/2020/01/29/1356362.pdf
    • http://mindforyou.org/uploads/1/3/0/5/130588588/130588588.html#androidsinboots+rate+card

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001278.bin
78f2c3ccacaab6904e169abe8cd857ba934902be4e997dc8ee73954706be007f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1278 9408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.