Malicious PDF — malware analysis report

Static analysis result for SHA-256 56f1463a24287431…

MALICIOUS

PDF

114.1 KB Authoring application: Inkscape
MD5: 50879a801bff8d6e0983339a4d01f5ca SHA-1: c8d0bc5d17720e206cc779bd174623dc164427a2 SHA-256: 56f1463a2428743178919f789460f69cbed1c8517f3d07ac966bad8d50c1408c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to numerous PDF files hosted on various domains, suggesting a coordinated effort to manipulate search engine results or distribute malicious content. The ClamAV detection further confirms the malicious nature of the file, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample, and the document body was heavily truncated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://organicbuddies.com/uploads/1/3/0/4/130483491/gizowajoxusefe-vofapix-nomogegisagewa-jutinezar.pdf
    • http://smallupsimpledown.com/uploads/1/3/0/6/130620459/lelofovim_jajadazowanej_bofatitorisox.pdf
    • http://www.thisnthatbusiness.com/uploads/1/3/0/6/130603853/95226.pdf
    • http://numeracyshed.com/uploads/1/3/0/5/130589229/4093303.pdf
    • http://clearyourclutterconsulting.com/uploads/1/3/0/2/130289400/bijizimoj.pdf
    • http://dreamlandstudios.org/uploads/1/3/0/6/130621557/2072820.pdf
    • http://movingmemorycompany.com/uploads/1/3/0/5/130588540/wavipijetemi.pdf
    • http://garlandcrew.com/uploads/1/3/0/3/130313093/kijoradufovo-zovibukiwiko.pdf
    • http://northstarmobilehomepark.com/uploads/1/3/0/5/130589014/molajatidifuf-kidedex.pdf
    • http://pattayapropertymanagement.com/uploads/1/3/0/2/130289365/3698857.pdf
    • http://nyayouth.com/uploads/1/3/0/7/130740533/zigixon.pdf
    • http://bandmcrushers.com/uploads/1/3/0/6/130604013/zofixis_vunaf.pdf
    • http://mycasasale.com/uploads/1/3/0/6/130639873/gerer.pdf
    • http://stmarysautorepairandsales.com/uploads/1/3/0/7/130775635/7969131.pdf
    • http://tristamalexander.com/uploads/1/3/0/4/130476432/8d107b4e4a4.pdf
    • http://gameofthronesofmuppets.com/uploads/1/3/0/3/130313391/polidozi.pdf
    • http://lauryan.org/uploads/1/3/0/5/130540642/mufumututukufom_busotenake.pdf
    • http://mission-scamper.com/uploads/1/3/0/5/130551087/gikakabejemafiser.pdf
    • http://eesome.design/uploads/1/3/0/7/130776074/wuwufoxed.pdf
    • http://jeffreykroeze.com/uploads/1/3/0/6/130639712/dipesoravita.pdf
    • http://adventure49.pleasingfood.com/uploads/1/3/0/3/130313053/130313053.html#agrobacterium+tumefaciens+role+in+transgenic+plants
    • http://numeracyshed.com/up

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034e6.bin
4b7b4a44f9b70fb953130bba2f87097e6ca846522a7d8c8cdcdc45888ca95e6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34E6 2896 bytes
font_01_sfnt_off000041c3.bin
be82d17116a07a2fe8bf2fcde037fefa00370414ac9d1fc50232d454b3ab7b8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41C3 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.