Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2217b5fa9f9edaa…

MALICIOUS

PDF

35.8 KB Authoring application: PDFedit
MD5: bb48fd116182905432ffe61f074e00d6 SHA-1: 55014f2263f355635121518c0d72440a1f17e4e6 SHA-256: a2217b5fa9f9edaaa5f3704b0c3b295ba00d3eb30f3b0b35e1ee4752b8eba425
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566 Phishing

The PDF contains a large number of external links, many of which point to suspicious domains, indicating a link farm for SEO or phishing purposes. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious traffic redirection workflow. The presence of a 'download button' heuristic further supports the phishing lure. The document body, though heavily obfuscated, contains references to 'Cydia jailbreak for windows' and multiple URLs, reinforcing the malicious intent.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://100percentcajun.com/uploads/1/3/0/2/130270898/159275.pdf
    • http://bavile.schwinnfitness.ru/uploads/2020/01/28/gipedipumuridademal.pdf
    • http://fos.bonys-clinic.ru/uploads/2020/01/27/1196687.pdf
    • http://xidavi.photo-vologda.ru/uploads/2020/01/27/rikevojubu.pdf
    • https://loragokafiziki.weebly.com/uploads/1/3/0/2/130271038/03f88b934.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/5/130588830/130588830.html#cydia+jailbreak++for+windows

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001070.bin
79b868de2abe93565cfc684b41fd3ed0aa488cc1bbf6c15cf29eaee629942a51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1070 8120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.