Malicious PDF — malware analysis report

Static analysis result for SHA-256 87d4fe4ba79a6e47…

MALICIOUS

PDF

37.3 KB Authoring application: QPDF
MD5: 8a3bec3c4274f2440f4f8b99f2dcb91a SHA-1: 2c1b59b090a63d5625abbe817087e64c7973b950 SHA-256: 87d4fe4ba79a6e479a6d91baaf8274f4e48174e427c17069f59e41dc6864b5e4
188 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains a large number of external links, identified as a link farm, and uses lures related to advance-fee scams and fake invoices. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The embedded URLs likely lead to malicious content or further phishing attempts.

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thebao.house/uploads/1/3/0/7/130738805/1779174.pdf
    • http://mytextsandhumanexperiences.com/uploads/1/3/0/5/130551302/patunoledos.pdf
    • http://dstuddistributing.com/uploads/1/3/0/5/130589362/5a3e8cfe48d2591.pdf
    • http://musclehamsterfitness.com/uploads/1/3/0/2/130272282/65154.pdf
    • http://playtherapyonlinetrainingacademy.com/uploads/1/3/0/3/130379239/9101531.pdf
    • http://nicholaspaulmccarty.com/uploads/1/3/0/5/130539992/705f3e88a2a1.pdf
    • http://gallery1019.org/uploads/1/3/0/5/130551718/funod.pdf
    • http://www.tairuaholidaypark.com/uploads/1/3/0/8/130874090/vupiwa-jigexugukaxegud-lorapesepe.pdf
    • http://yachtrock.biz/uploads/1/3/0/6/130622093/bosorubu_limezenagovatix.pdf
    • http://earthspiritpath.com/uploads/1/3/0/6/130620635/figukobojixu_faxiwemaretum.pdf
    • http://metroartdesign.com/uploads/1/3/0/7/130738632/logugakemol.pdf
    • http://607.bpmtc.com/uploads/1/3/0/7/130776101/5760607.pdf
    • http://1s8ne0.salon225.com/uploads/1/3/0/2/130289448/130289448.html#letter+of+credit+and+bank+guarantee+pdf
    • http://gallery1019.org/uploads

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003af2.bin
f05c2a4cd309624f338c8808d6fe8a0dcc8e1c41311bd84370e16e08d089500f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AF2 7740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.