Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cc7d3df97c8512d…

MALICIOUS

PDF

50.0 KB Authoring application: PDFBox
MD5: aef7ee3009128a4e50d924b7f20cd1f6 SHA-1: 2fa6c832ea8ace313fc9e7cf5c7a2309b9c5beaa SHA-256: 8cc7d3df97c8512d9dcbfa941c7f14bbcb7e29f461f557135280d86c5664d4a8
208 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF file detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. It contains a link farm of external PDF documents, with lures related to invoices, payments, and MFA harvesting. The embedded URLs suggest a phishing or redirection attempt, likely to lead the user to download further malicious content or provide sensitive information.

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thevillagemiami.com/uploads/1/3/0/3/130323139/6169127.pdf
    • http://beatdiabetesnow.org/uploads/1/3/0/6/130605186/a69cb7cb25bd.pdf
    • http://mypartypro.net/uploads/1/3/0/8/130814923/df473b8f499b.pdf
    • http://easyvoxbox.org/uploads/1/3/0/6/130621292/simasebemazi.pdf
    • http://carolynrim.com/uploads/1/3/0/2/130272513/fudupefemono.pdf
    • http://trouthide.com/uploads/1/3/0/5/130546354/jilapo.pdf
    • http://nuobeijinghotel-chinese.devsite-1.com/uploads/1/3/0/4/130483402/130483402.html#sbi+online+saving+account+opening+form+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010c6.bin
ad094a77519f6dccf90ec2fa7b1516f749cb350aba29f71ac97ade8d575a23e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6 8484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.