Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f6cc354c93b19ba…

MALICIOUS

PDF

43.1 KB Authoring application: PDFBox
MD5: 33592983e3ac4fcea50a48ac3dcf581e SHA-1: 7b1e2858eb0c5bdcc07931f4d4e61231fb64e8d9 SHA-256: 8f6cc354c93b19ba9ebf2e3c83764800de5383b4875358d1cc0c47fb0b9bbbb5
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The document body contains fragmented text and URLs, but the primary malicious activity appears to be the mass linking, likely intended to redirect users to malicious content or further stages of an attack.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vonuduxovo.weebly.com/uploads/1/3/0/3/130323709/3ef173b36449a0.pdf
    • http://pospaperhawaii.com/uploads/1/3/0/3/130324206/4547842.pdf
    • http://shannaspetsupply.com/uploads/1/3/0/6/130604911/3dd49a4f75.pdf
    • http://octsummershow.com/uploads/1/3/0/6/130603748/lulupekisel.pdf
    • http://armstrongdesignbuild.com/uploads/1/3/0/6/130605509/xevezi_tawerotopizuxe.pdf
    • http://ministryday.weebly.com/uploads/1/3/0/5/130551788/cb29011aa7b1.pdf
    • http://riversidecountyhistory.org/uploads/1/3/0/5/130551096/130551096.html#matricom+g+box+q+firmware+update+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000133d.bin
60c6e40d892867d6e372fce498b23e1f46d33b4782a432068f1fb9c93616ac78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133D 9004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.