Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5ae9e92889aed2a…

MALICIOUS

PDF

30.7 KB Authoring application: OpenOffice.org
MD5: f3f8ac2f57afc97aa544fc9d4c3eb1a8 SHA-1: 5571f698f1ef203a879a77e6a140ff2507dd2b65 SHA-256: a5ae9e92889aed2acb4e1dca950d7408e86a74563ccd5a9ffa336d5d72eb90b7
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified as a link farm, which is a common technique for distributing malicious content. The heuristic 'SE_CALLBACK_LURE' suggests the document's content is designed to trick users into calling a number, likely for a scam. The ClamAV detection further confirms its malicious nature, classifying it as 'Pdf.Phishing.TtraffRobotInstall'. The primary attack pattern involves directing users to external PDF files via these links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://millenniummath.com/uploads/1/3/0/2/130287835/8c5279a3ec3f.pdf
    • http://alexandremartorano.com/uploads/1/3/0/6/130620781/kexobase.pdf
    • http://trendshops4.fun/uploads/2020/01/28/4890994.pdf
    • http://nicequotes.net/uploads/1/3/0/6/130620669/xanokatusezujugumar.pdf
    • http://sandandgraveldelivery.com/uploads/1/3/0/7/130739577/ade7c4.pdf
    • http://robb.site/uploads/1/3/0/8/130813648/tiwiderisolaru-xigesun-vinanokifisu-nupixefoxovewag.pdf
    • http://miskatonic-journal.ca/uploads/1/3/0/6/130639172/0a34eec7c1.pdf
    • http://goldpriceweb.com/uploads/1/3/0/4/130488750/fatamilafapote_debefetekesa_fuwuzulamelur.pdf
    • http://numaluvuf.familiarizarse.info/uploads/2020/01/28/8894240.pdf
    • http://islamicbankingblog.net/uploads/1/3/0/5/130588659/130588659.html#epilepsy+action+christmas+cards

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011fa.bin
f29b4f70e3cfbec82cb653a3d952edf7bd3b19b296e8c4a68fe529d0e927beae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FA 7420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.