Malicious PDF — malware analysis report

Static analysis result for SHA-256 588697f25da638ac…

MALICIOUS

PDF

33.5 KB Authoring application: PDFedit
MD5: 4c83e1feba1bbbd51cf5d189d7f9dd5d SHA-1: 1443dc82f7e9b2829c9410e1ca6c82db9b831177 SHA-256: 588697f25da638acb1b77fbd8304d24384b2e4732d9bd21116afbcaf32f02604
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a link farm or redirection mechanism. The presence of urgency and callback lures in the document body further supports a phishing or scam-related intent. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 aligns with these findings.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nordicatravel.net/uploads/1/3/0/6/130639417/loxinu.pdf
    • http://bayareaboatandhomeloans.com/uploads/1/3/0/6/130605182/ziminevojusemo-lisemorini-rejuruderefu-zadekofifiped.pdf
    • http://mindforyou.org/uploads/1/3/0/7/130739185/1216336.pdf
    • http://seomontrealexpert.com/uploads/1/3/0/5/130550732/vomujebewokebos-pumadojapa-difulidizakovow-tibijakejiz.pdf
    • http://musclesandmimosas.us/uploads/1/3/0/6/130639630/b73595.pdf
    • http://quantuminstruments.com/uploads/1/3/0/8/130813084/tonokaj.pdf
    • http://camgirlclash.com/uploads/1/3/0/5/130590521/8523301.pdf
    • http://draasman.com/uploads/1/3/0/8/130813800/581236b8a.pdf
    • http://ndsucceed.com/uploads/1/3/0/7/130775174/delotanizuxajumew.pdf
    • http://wvmountainrevival.com/uploads/1/3/0/5/130545753/xoxafebakegesom.pdf
    • http://3828riverroadbricknj.com/uploads/1/3/0/5/130588417/gumudebo.pdf
    • http://initnowmix.com/uploads/1/3/0/6/130621479/wovoral.pdf
    • http://kiemtratenmien.net/uploads/1/3/0/5/130588651/42876a3e.pdf
    • http://wjholder.com/uploads/1/3/0/4/130483413/zowal.pdf
    • http://morris-auto.com/uploads/1/3/0/6/130603673/dilazifiwugi_lizimusedevapop_fosugudepi_dawenexukerobog.pdf
    • http://southerncrossland.com/uploads/1/3/0/7/130740213/zezokusava-lonarexuwano-binironivezur.pdf
    • http://pinjabruun.com/uploads/1/3/0/5/130589219/divugekenunebokane.pdf
    • http://mkstucco.com/uploads/1/3/0/5/130589014/e292e5f3c69.pdf
    • http://cpanel.jennifermannauthor.com/uploads/1/3/0/7/130776249/130776249.html#autodesk+inventor+2019+serial+number+and+product+key
    • http://initnowm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000025a3.bin
7b71845f4959cc8d088773515b82475f3415fda9158fc8c41f0ac779a50cbb48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25A3 7504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.