Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a11f15950a78e89…

MALICIOUS

PDF

40.1 KB Authoring application: PDFedit
MD5: bbb98ecdd22ded0c4ff3312b8bb9ecf5 SHA-1: ef036e57735bb41bc74e1fb3f843ca07141b8023 SHA-256: 8a11f15950a78e89fe3b6521f15f8d55c1f27431299f8b0df9cfbfbceb4b9acc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a phishing or traffic redirection scheme. The embedded URLs are likely part of this link farm, aiming to direct users to malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://skyloan.us/uploads/1/3/0/8/130874313/5878229.pdf
    • http://www.mrcoachreed.com/uploads/1/3/0/7/130775979/lojuririsefup-tedejogoxekup-vidoxugelidu.pdf
    • http://ontargetmolecules.com/uploads/1/3/0/5/130590410/guvawobuwewu.pdf
    • http://potentevisuals.com/uploads/1/3/0/4/130483253/63eaf4e324e.pdf
    • http://healthystartwebinar.com/uploads/1/3/0/2/130270753/7c60145f65e9879.pdf
    • http://byronestates.com/uploads/1/3/0/5/130543386/pemagazota.pdf
    • http://notonmeth.com/uploads/1/3/0/4/130489467/b78de01af5.pdf
    • http://datumdesignstudios.us/uploads/1/3/0/2/130272072/6e742d.pdf
    • http://myafricanloveseries.com/uploads/1/3/0/5/130588390/runukejoxedebos-fuvikake-winopexuvuwub.pdf
    • http://man-kind.com/uploads/1/3/0/4/130476572/xonezavevadufulivib.pdf
    • http://modernjeetkunedo.com/uploads/1/3/0/5/130539933/moromuxagomiloxo.pdf
    • http://host178.carmichaelnl.com/uploads/1/3/0/5/130589452/130589452.html#reading+passages+with+answers+pdf
    • http://myafricanloveseries.com/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044af.bin
93130e06af8820c8974863187b5d0e8493ad18ac61ef97d6a02f37211da15c81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44AF 8360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.