Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c6d72b007971b8…

MALICIOUS

PDF

85.8 KB Authoring application: Poppler-utils
MD5: db0e5203149d7ef2802be460119b4159 SHA-1: 50f9be2460acdb614d46389cba899947dca40c03 SHA-256: a2c6d72b007971b8662e0dc5c7b6242bceef9da98e85ba6502340946e151a885
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of an advance-fee scam, using lures related to lotteries or parcel deliveries. It contains a mass of external links, suggesting a link farm designed to distribute further malicious content or engage in SEO manipulation. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports its malicious nature. No scripts were extracted, but the embedded URLs are the primary indicators of malicious activity.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gurzuf.taxi/uploads/1/3/0/7/130739309/6385286.pdf
    • http://jskenterprise.com/uploads/1/3/0/5/130588740/tejavemap-nimuredo.pdf
    • http://designsbylex.com/uploads/1/3/0/5/130551718/zejurikefasew_besabiw_pikegidexinub_kipirafepija.pdf
    • http://alexandrajosutton.com/uploads/1/3/0/8/130874097/nuxebulof-wuxotanu-wuxutimuzabixo.pdf
    • http://augustinacimino.com/uploads/1/3/0/6/130639510/pipujikeg_wipaz_wozelisu.pdf
    • http://clergycloud.org/uploads/1/3/0/6/130639665/9887378.pdf
    • http://stevenschristian.org/uploads/1/3/0/2/130291783/sadegafifakired_puzebapi_xozavobewiwede_nugigusu.pdf
    • http://mc-mods.space/uploads/1/3/0/6/130603895/2541417.pdf
    • http://ashleydunn.blog/uploads/1/3/0/2/130289319/235b830b.pdf
    • http://drazenbuntic.com/uploads/1/3/0/5/130538997/a5f0739b44.pdf
    • http://ejunkie.mobi/uploads/1/3/0/5/130551054/risarolunew.pdf
    • http://mkh-mfg.com/uploads/1/3/0/3/130323236/verosafomir.pdf
    • http://micheldufort.com/uploads/1/3/0/5/130551907/losajatevowonudow.pdf
    • http://supremespeech.com/uploads/1/3/0/6/130604928/vujujaxaf.pdf
    • http://mymantramint.com/uploads/1/3/0/4/130488091/tusekigeruri.pdf
    • http://vipgrouptravelseminaratsea.voyagerwebsites.com/uploads/1/3/0/4/130488741/130488741.html#hindu-kush+mountains+map

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003367.bin
510aa5bd7cf1e233a61a03b55f664760e0956b076dd236c86ec87f6e7bfa96c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3367 10200 bytes
font_01_sfnt_off0000fb33.bin
2c32c498f23db3cae400dac070c72b38d41a5d5dbe5041cbe08e7cee44e1acfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB33 2648 bytes
font_02_sfnt_off000104a6.bin
775a8be603d7f2fbcf8ade61603f627d91fd550619762fec97b215165335f533		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104A6 18204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.