Malicious PDF — malware analysis report

Static analysis result for SHA-256 59e6159ca60f4063…

MALICIOUS

PDF

123.2 KB Authoring application: PDF Studio
MD5: 0c896f5b31e7e460fb28fe75d8d806c5 SHA-1: e96e9f1c0b6248a0a65b48e452c1e62e729951b2 SHA-256: 59e6159ca60f4063e3003611e616a6cfdd755888b1f2b621dd3f3cfffcf3cd10
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document exhibits characteristics of an advance-fee scam, including lottery or parcel delivery lures combined with requests for payment or personal information. The presence of numerous embedded links to external PDF files, hosted on various domains, suggests a link farm designed to distribute malicious content or redirect users to phishing sites. The ClamAV detection further supports the malicious classification.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nanaslittleworld.com/uploads/1/3/0/2/130289173/75bacb.pdf
    • http://nonreligiousspiritual.com/uploads/1/3/0/6/130621890/57c6a361ef.pdf
    • http://seedtoatree.com/uploads/1/3/0/6/130604554/42680dfb1.pdf
    • http://commongroundsphilly.com/uploads/1/3/0/6/130604158/putav.pdf
    • http://budekezuge.arteltiles.com/uploads/2020/01/29/riwuzeb_tifara_gixumakuxivefe_vapajowodow.pdf
    • http://nwapetgrooming.com/uploads/1/3/0/2/130289179/130289179.html#virginia+elaine+wheat

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000118c.bin
bdf382714973b94de2f6137ad3039ea0a647d783fe3fe71576b2e28c8e158f92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118C 10384 bytes
font_01_sfnt_off00009355.bin
c6b1c6ad83d7e4ae0a85a761cabc2ec2076d62e91e51f0d2dd6ad63f1c836e99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9355 5416 bytes
font_02_sfnt_off000199c2.bin
0595ada0112e89b93f32d986b5951ab20b2f85b40600355f548d092e565ec68b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x199C2 16364 bytes
font_03_sfnt_off0001af56.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AF56 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.