Malicious PDF — malware analysis report

Static analysis result for SHA-256 982161df4846144a…

MALICIOUS

PDF

44.2 KB Authoring application: pdf-parser
MD5: 74d9e7adc0dd0e60425c26e82db12ce1 SHA-1: 1cdec5c3115d9e332e77d09bdc682d22164f3e50 SHA-256: 982161df4846144a75d188aea88e1333073b1b87d351e925d18bdac62e765c13
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a malicious intent, likely related to phishing or SEO abuse. The embedded URLs are the primary indicators of compromise, pointing to numerous external PDF files hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cerritosnotarypublic.com/uploads/1/3/0/4/130436071/feweken.pdf
    • http://naplescitynews.com/uploads/1/3/0/6/130605416/9375674.pdf
    • http://southernsafetysolutionsllc.com/uploads/1/3/0/8/130813372/keminedobitigi.pdf
    • http://threeriverproperties.com/uploads/1/3/0/8/130873893/puranevimej-kinew-xikelusodajam.pdf
    • http://onceuponapage.net/uploads/1/3/0/6/130639278/22f18.pdf
    • http://www.hipababy.com/uploads/1/3/0/2/130289177/metit.pdf
    • http://84972.atkhn.com/uploads/1/3/0/8/130874475/nogiminute.pdf
    • http://thisisbinding.com/uploads/1/3/0/3/130313854/gibewefu.pdf
    • http://apexbasketballtraining.com/uploads/1/3/0/4/130476146/7860171.pdf
    • http://www.thecraftnest.shop/uploads/1/3/0/7/130740562/2554113.pdf
    • http://abilenecares.org/uploads/1/3/0/6/130640092/zojuv_vifudabazilon_janoxadew.pdf
    • http://qui.social/uploads/1/3/0/5/130588651/1823846.pdf
    • http://kiemtratenmien.net/uploads/1/3/0/2/130271232/3430063.pdf
    • http://project-black.net/uploads/1/3/0/6/130620437/3e234d46c.pdf
    • http://sales11-sip-phone.pleasingfood.com/uploads/1/3/0/7/130740018/9855958.pdf
    • http://sofullofcrepe.org/uploads/1/3/0/6/130604315/sufugezu.pdf
    • http://nikhitavaddineni.com/uploads/1/3/0/6/130604036/xoxos-fexega-ratesuwurererav-migenimo.pdf
    • http://raremark.net/uploads/1/3/0/8/130814390/bozerilufiwazi.pdf
    • http://mail.tamartomson.com/uploads/1/3/0/8/130874489/jipevawafako.pdf
    • http://rawly.net/uploads/1/3/0/5/130588232/9e536bc270.pdf
    • http://ibz-a.com/uploads/1/3/0/4/130477131/2761bee14e6ed15.pdf
    • http://stealthapplicant.com/uploads/1/3/0/2/130270885/4858895.pdf
    • http://mta-sts.mx.driftriders.org/uploads/1/3/0/5/130590613/bagoz_vixulesarif.pdf
    • http://capture305.com/uploads/1/3/0/4/130435546/pawit.pdf
    • http://www.wnjsupplies.com/uploads/1/3/0/6/130605198/kuxasuposurixu.pdf
    • http://kingshotelsrussiansummary.devsite-1.com/uploads/1/3/0/3/130323337/130323337.html#linux+administration+handbook+%282nd+edition%29+pdf
    • http://abilenecares.org/uploads/1/3/0/6/130640092/zojuv_vifud

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004851.bin
00eeefd99dbc8372039d8929d451c3001e05c7c8a5c4b7d0f383c4fbab9ba6d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4851 8168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.