Malicious PDF — malware analysis report

Static analysis result for SHA-256 99b7f31646394304…

MALICIOUS

PDF

40.9 KB Authoring application: GIMP
MD5: 81766b03d873363bd382f55cb82f766e SHA-1: 8b7d63055ef0470b8961a44c5185124b0a0c1cc0 SHA-256: 99b7f31646394304f7aa66d5a4c909c6f9aa3433881ea089a2d09142b49c9841
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified as a PDF_SEO_LINK_FARM heuristic, suggesting a phishing or spam campaign. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this. The document body contains urgency language like 'account will be terminated', reinforcing the phishing lure. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pickapassword.com/uploads/1/3/0/6/130604598/4593688.pdf
    • http://tfamcon.com/uploads/1/3/0/6/130639467/wikolowuke-romewavazig-winawazobamob-vupamuwedatiku.pdf
    • http://auntkates.com/uploads/1/3/0/3/130323146/1790232.pdf
    • https://judenonur.weebly.com/uploads/1/3/0/5/130588511/86f6e0f5deea01.pdf
    • http://my-gama.com/uploads/1/3/0/6/130621757/7132095.pdf
    • http://racks4retail.com/uploads/1/3/0/3/130323527/f1d1a913d6.pdf
    • http://cavalcadeofkink.com/uploads/1/3/0/3/130313561/dodunabaget.pdf
    • http://dayveboy.com/uploads/1/3/0/5/130540208/56aaae.pdf
    • http://pakalolochocolate.com/uploads/1/3/0/5/130546237/ad77ea67.pdf
    • http://advancedsteeldetailingltd.com/uploads/1/3/0/3/130323952/4134840.pdf
    • http://aletothechief.com/uploads/1/3/0/5/130588173/refonar.pdf
    • http://davidmarquesibanez.com/uploads/1/3/0/3/130323674/130323674.html#toefl+ibt+listening+test+2+-+full+test+with+answer+keys

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001298.bin
ec74736ddddf68c8669c0d5c8c0bcc4c34d68b31987d1336f61203136c80abe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1298 8308 bytes
font_01_sfnt_off00005773.bin
feb643a66ad04cc3932283c9206cb2ef5de961104b28d4b9cc944e4fab6f0f6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5773 16500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.