Malicious PDF — malware analysis report

Static analysis result for SHA-256 94c3b5066f3bbd4d…

MALICIOUS

PDF

39.6 KB Authoring application: Mobipocket Creator
MD5: 7d30f9e15e6328d39cdb23db9f92d7ee SHA-1: 381d978d04802834d7ecf5cad28054e098930580 SHA-256: 94c3b5066f3bbd4d1be9bf81289b5479ea582397eec896dd2bc1a47f30428c8e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded URLs, forming a link farm, which is a common technique for phishing and redirecting users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating the document's primary purpose is likely to distribute links to further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drodphotography.net/uploads/1/3/0/5/130543038/76122659ba2.pdf
    • http://mykayscreations.com/uploads/1/3/0/6/130621785/7565996.pdf
    • http://monolithcomputing.com/uploads/1/3/0/5/130547038/6940085.pdf
    • http://visualtrad.com/uploads/1/3/0/6/130640006/a2a75b4.pdf
    • http://maz.visit-kazan.ru/uploads/2020/01/28/4938476.pdf
    • http://forsheylaw.org/uploads/1/3/0/4/130494801/medemidor.pdf
    • http://newagevalue.com/uploads/1/3/0/5/130588363/46fb045ac06.pdf
    • http://naturalqueenstudios.com/uploads/1/3/0/5/130551607/badew.pdf
    • http://ofoptical.com/uploads/1/3/0/4/130483973/2cc9bb.pdf
    • http://pingrail.com/uploads/1/3/0/2/130271195/0e714cf913.pdf
    • http://bellecreekresources.net/uploads/1/3/0/7/130740210/29819a4d7.pdf
    • http://repriseplay.com/uploads/1/3/0/2/130287866/b5457d.pdf
    • http://trashtruckexperts.net/uploads/1/3/0/7/130740140/c5ed82.pdf
    • http://hollybabiarz.com/uploads/1/3/0/6/130639935/985705.pdf
    • http://judgeammendola.com/uploads/1/3/0/3/130313086/vozegizovewu_vamaw.pdf
    • http://pitkulup.net/uploads/1/3/0/2/130273776/xefenatef_savoxaxefog.pdf
    • http://girlycrew.com/uploads/1/3/0/5/130589366/8144527.pdf
    • http://ladavisbooks.com/uploads/1/3/0/6/130604955/7711680.pdf
    • http://dprservices513.com/uploads/1/3/0/6/130639879/70f2e.pdf
    • http://digitalvitaminagency.com/uploads/1/3/0/6/130604931/9b69dec0b.pdf
    • http://notsowired.info/uploads/1/3/0/5/130550772/lalaxugo.pdf
    • http://nicholsonsbar.com/uploads/1/3/0/2/130289235/zexuxupatetafaf-suxifele.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/6/130639516/130639516.html#right+inguinal+hernia+pain+icd+10

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000380a.bin
3a28aec55a1fc0493908fc3a26f5d8cd19830d3ffd84565fa8c04b77f0b55ea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x380A 8488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.