Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e3450c135d76a49…

MALICIOUS

PDF

40.9 KB Authoring application: Mobipocket Creator
MD5: fed532dafc4d2e3957f234ccbdb336ca SHA-1: d298832f9b6a029b6abf925859c26c9fb3dcac1a SHA-256: 7e3450c135d76a4909fb1ed27f44aedcb45af88e37f0956f81f522fb16b8a0bd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, characteristic of a link farm designed to distribute malicious content. The primary heuristic firing, PDF_SEO_LINK_FARM, directly supports this finding, indicating the PDF's purpose is to redirect users through a network of links. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wolvescampradio.com/uploads/1/3/0/4/130479435/3ca0c157f7010.pdf
    • http://webdisk.byhp.org.uk/uploads/1/3/0/6/130605153/1532059.pdf
    • http://3pfd.com/uploads/1/3/0/6/130604101/68809916379f0.pdf
    • http://montbrae.com/uploads/1/3/0/5/130540359/b07310b.pdf
    • http://relaysocial.net/uploads/1/3/0/5/130550857/tujoravosati.pdf
    • http://motusbehaviors.com/uploads/1/3/0/3/130379206/juguso.pdf
    • http://lsrealty.co/uploads/1/3/0/4/130476244/bufudebib.pdf
    • http://jamistichter.com/uploads/1/3/0/7/130775029/3100810.pdf
    • http://marriagemotherhoodmenopause.com/uploads/1/3/0/6/130639221/8128418.pdf
    • http://nutritioncapecod.com/uploads/1/3/0/6/130639701/polekevafede-matimoxebubapo-pedilijali-doxevumam.pdf
    • http://plancul-reims.net/uploads/1/3/0/6/130604332/4ff9d85a437f1.pdf
    • http://midwestlightingllc.com/uploads/1/3/0/6/130639110/fesel.pdf
    • http://thetapbox.com/uploads/1/3/0/6/130620474/4485583.pdf
    • http://izletiposrbiji.net/uploads/1/3/0/6/130620538/8538890.pdf
    • http://6foot7dave.com/uploads/1/3/0/2/130289433/jifobesu.pdf
    • http://prideofliars.net/uploads/1/3/0/4/130435943/nubefaloguzojosagam.pdf
    • http://holagatito.com/uploads/1/3/0/2/130273623/8083838.pdf
    • http://zevsmith.com/uploads/1/3/0/6/130621706/lesuxiwon.pdf
    • http://vps9-internal.pleasingfood.com/uploads/1/3/0/5/130551684/130551684.html#cylindrical+roller+bearing+size+chart+skf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043a0.bin
5be33a94df93df83ef3a3c24b68e00aa6ca5520d8c5b094cd43dec4b90e681cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43A0 7652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.