Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d9c4bb364a60fb3…

MALICIOUS

PDF

50.6 KB Authoring application: Mobipocket Creator
MD5: be7e34e5a48de353ba5db21b3a05eb24 SHA-1: 6a518dc5a4a0dfd25a6be2e590b65be342043bf0 SHA-256: 9d9c4bb364a60fb3d35562cba96aa1a1b0b21ea7e8b33050eab3f951c589b477
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a PDF SEO link farm heuristic, indicating the document contains numerous external links. The document body also contains multiple URLs pointing to PDF files hosted on various domains. These findings suggest the document's primary purpose is to redirect users to potentially malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fefa.token-movil.com/uploads/2020/01/28/5401444.pdf
    • http://spmfilms.net/uploads/1/3/0/6/130603922/b140a.pdf
    • http://modafabrictreasure.co.uk/uploads/1/3/0/6/130639538/nowama.pdf
    • http://fgf999.com/uploads/2020/01/28/warudosilemi_wemotedekeruko_nutotep.pdf
    • http://mlwolters.com/uploads/1/3/0/5/130551124/b642d.pdf
    • http://juliejesternewman.com/uploads/1/3/0/2/130273962/130273962.html#waveguide+cutoff+wavelength+calculator

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125d.bin
396b8877291ed4e4f0bcd513aebce81bf8e6f33c44cec8b12e60d741b26a2f12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125D 8552 bytes
font_01_sfnt_off0000722d.bin
1fabbfe8b09fe1677f34137117f6b04a54f3a58b97fc818306f8314d63649d97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x722D 16080 bytes
font_02_sfnt_off000086db.bin
208f90309f0fdf6f7d49ec23fe0931e230aa7d3e7424b894ae7fb4d69d0fa375		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86DB 4316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.