Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e68e54931d41998…

MALICIOUS

PDF

56.3 KB Authoring application: Nitro PDF
MD5: b99cb7b3ee3c55dd016bd343d97dbdb9 SHA-1: 46d930f1d07eb40955260b6a20cd93228d85d8fb SHA-256: 8e68e54931d4199843a2f081be121ff2a6c2f536969d6704c667abc94681d398
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, a technique often used for SEO poisoning or to redirect users to phishing or malware distribution sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The document body's content about research article critique is likely a lure to disguise the malicious nature of the links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://northbrisbanebutcher.com/uploads/1/3/0/7/130738837/2461194.pdf
    • http://mertior.com/uploads/1/3/0/3/130379412/majareba-romekugoxem-tidesewadaluzu-xakinuxi.pdf
    • http://momentsbymelinda.net/uploads/1/3/0/5/130539455/5089143.pdf
    • http://austinareaapartments.net/uploads/1/3/0/4/130483906/tedaliniromoxavanuw.pdf
    • http://www.robinson.daniellerosephotography.com/uploads/1/3/0/7/130738792/dapokapilepumit.pdf
    • http://meadowlarkstudios.net/uploads/1/3/0/4/130476650/1230990.pdf
    • http://freespiritgirl.com/uploads/1/3/0/4/130483345/7344689.pdf
    • http://valkyriesurfer.com/uploads/1/3/0/7/130738803/56255.pdf
    • http://reneedumarr.com/uploads/1/3/0/6/130620929/pusawe.pdf
    • http://sfifp.com/uploads/1/3/0/7/130776122/wefozutibesigi-nupibuli-xalalejipegar.pdf
    • http://members.ndga.org/uploads/1/3/0/6/130605162/8005181.pdf
    • http://helenmortpoetry.com/uploads/1/3/0/5/130540472/130540472.html#sample+research+article+critique+apa+format

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e9.bin
eca6bdc85da8f4979b8151aa3dc767b6d2b58c306487eb005d4a1f58d306f5ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E9 8444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.