Malicious PDF — malware analysis report

Static analysis result for SHA-256 a124a90fd3b913b9…

MALICIOUS

PDF

53.0 KB Authoring application: PDF Studio
MD5: 6a4d5e4d7feab4a68a8ecc8fea7c81cf SHA-1: b78539f7b00ba81aed14283b6b86b61978630d66 SHA-256: a124a90fd3b913b93ad72dbd60786e3da76eb1152d21482167f1ca63019d31bb
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with numerous external PDF links, indicative of SEO poisoning or a phishing lure. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection intent. The presence of a visual download button further supports the lure-based attack pattern.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mazujizada.weebly.com/uploads/1/3/0/5/130551512/3f8d6d.pdf
    • http://yungpop.com/uploads/1/3/0/5/130588564/mevoful.pdf
    • http://burnellinfinitymath.com/uploads/1/3/0/2/130289271/2992906.pdf
    • http://keyconnect.net/uploads/1/3/0/3/130323285/094c93970.pdf
    • http://jacquegraham.net/uploads/1/3/0/6/130621140/vanux.pdf
    • http://piecedtogether.org/uploads/1/3/0/6/130639270/bcd9678fe4b47.pdf
    • http://moodstruk.com/uploads/1/3/0/2/130272636/warasuwa-tonitavuvopuja.pdf
    • http://alicevictoriadesign.com/uploads/1/3/0/6/130620709/tunapiz-wadot-tezutajodine-donoxinidewak.pdf
    • http://remont-msk8.icu/uploads/2020/01/28/4535278.pdf
    • http://misssoutheastpageantry.us/uploads/1/3/0/5/130588864/130588864.html#bhakti+geet+mp4+song

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001381.bin
2c5e63ac99a52b570cba7f53cb24c3e1b31cc4139c22ebeeb205857a8f418b68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1381 8124 bytes
font_01_sfnt_off00007c97.bin
271f93785e8adefb33624e276e1eaa4957cbf4bfc104bfbc7460ab72b26689b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C97 13344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.