Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a0b3ff2116a9021…

MALICIOUS

PDF

28.9 KB Authoring application: Nitro PDF
MD5: 8d63d729bb342e51e5bc6a276066855b SHA-1: d4764c033fb0aef68e1c1a130c17fff9757bfd11 SHA-256: 8a0b3ff2116a90218674141734bc0f3b25dbaf42275f2fd894348b94fc48ac35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The document body contains text related to 'Punjabi chura images' and mentions 'Nitro PDF', suggesting a lure to disguise the malicious link distribution. The primary attack pattern involves redirecting users through a link farm, likely to a phishing or malware distribution site.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lovegallery.net/uploads/1/3/0/5/130539046/9ea2a7502.pdf
    • http://sierraunfiltered.com/uploads/1/3/0/2/130288802/1770793.pdf
    • http://nizkedane.com/uploads/1/3/0/5/130551049/nibiladexuvojumuluj.pdf
    • http://ownedbrands.net/uploads/1/3/0/7/130740232/nifewir_dudomobatago_lubebug_tolutaxoregiru.pdf
    • http://studentsmentalhealth.net/uploads/1/3/0/6/130605472/179bf.pdf
    • http://hbade.com/uploads/1/3/0/6/130604858/398074.pdf
    • http://scottmercer.org/uploads/1/3/0/7/130739573/pebosuv.pdf
    • http://absystemsllcscam.com/uploads/1/3/0/2/130291769/130291769.html#punjabi+chura+images

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010b7.bin
2df754a58e77f1a2cf8fab913fc5789bfb4c799146f6ebdfd3d7aff0772e63c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B7 7752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.