Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a21b0eebbbf8d0…

MALICIOUS

PDF

42.3 KB Authoring application: SWFTools
MD5: 495bb6c8509b405cb5f71d7d88b4acc4 SHA-1: 1db64c512eb24e84d17a308964855bf9d22fc0fc SHA-256: 84a21b0eebbbf8d04b7ae90c56f3ebfb12dfeb60a43bdfe0dcb83c2e2dbd34a4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further indicates a malicious intent, likely related to phishing or traffic redirection. The document body contains a mix of seemingly legitimate text and the extracted URLs, suggesting a lure to disguise the malicious link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://miamitownshiphealthandwellnesscenter.com/uploads/1/3/0/6/130639916/2695508.pdf
    • http://sincerely-amber.com/uploads/1/3/0/2/130271048/6fb13.pdf
    • http://febukak.audiostart09.icu/uploads/2020/01/28/4291190.pdf
    • http://tulsawindowtinter.com/uploads/1/3/0/6/130605472/palotowo-ravogudo-daluxe.pdf
    • http://missaldrichenglish10.weebly.com/uploads/1/3/0/6/130622111/denivusugafu-simipow-lugub.pdf
    • http://chaseinsulinbox.com/uploads/1/3/0/6/130604430/vawilaj.pdf
    • http://dayakquest.com/uploads/1/3/0/3/130313186/fezojevejetorewep.pdf
    • http://richardsnashall.net/uploads/1/3/0/5/130551401/rakukefimizu.pdf
    • http://nikkiheyder.com/uploads/1/3/0/4/130436054/7754425.pdf
    • http://craigheadcounty4hrabbitclub.com/uploads/1/3/0/2/130291800/fe01ecf4f56.pdf
    • http://peterpetschenig.com/uploads/1/3/0/6/130639943/dubuvanoxamowojip.pdf
    • http://advance-it.net/uploads/1/3/0/4/130476818/130476818.html#diagrama+de+fusibles+lupo+2005

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000132d.bin
6923248807fa57f27ade0d815dc32abf942f8788039d3915d5c9e2db2a89c3e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132D 9336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.