Malicious PDF — malware analysis report

Static analysis result for SHA-256 804a7ac093140f28…

MALICIOUS

PDF

35.7 KB Authoring application: Smallpdf Desktop
MD5: 84b5e257395fc49de4bf0261f4304cf4 SHA-1: 991b052d9f1b41f2788e0c1e2789721f3c588af1 SHA-256: 804a7ac093140f2863dc88872f918d3f9a49a365313bb746cf5efc2e6408bd46
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded external URLs, indicative of a link farm. These links likely serve to redirect users to phishing or malware distribution sites. The document body content appears to be corrupted or irrelevant, providing no further clues to the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eternity-games.com/uploads/1/3/0/4/130476712/kaboforomekek.pdf
    • http://zimpresos.com/uploads/1/3/0/5/130551129/9014775.pdf
    • http://brendashuler.com/uploads/1/3/0/2/130272232/1210201.pdf
    • http://abundanceforyou.ca/uploads/1/3/0/6/130620594/048c0.pdf
    • http://djtom-s.ch/uploads/1/3/0/7/130740210/5510246.pdf
    • http://www.commoditiespartners.com/uploads/1/3/0/8/130814586/6ab3dc725bc3a3.pdf
    • http://coloradoarttherapy.com/uploads/1/3/0/3/130324044/d2eb26c92b.pdf
    • http://radiantheartsconcertseries.com/uploads/1/3/0/2/130291658/e9225190d448f5b.pdf
    • http://onedayofbliss.org/uploads/1/3/0/2/130270768/xupefevixo.pdf
    • http://davidsolano.org/uploads/1/3/0/2/130272619/jejajenowu.pdf
    • http://leukothea.de/uploads/1/3/0/6/130605344/5446652.pdf
    • http://nathaniel-e-yamamoto.com/uploads/1/3/0/6/130639733/9041794.pdf
    • http://m999g.salon225.com/uploads/1/3/0/4/130483117/130483117.html#reticular+connective+tissue+function+and+location
    • http://brendashuler.com/uploads/1/3/0/2/130272232/121

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003560.bin
6181cda3916c0be0b9ab726c7b52b23a4175928dfce42766813e8eed3ecd02c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3560 7412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.