Malicious PDF — malware analysis report

Static analysis result for SHA-256 a86b38b57ac981be…

MALICIOUS

PDF

49.2 KB Authoring application: Inkscape
MD5: 7becac094a5b5de94d3b696842b9464a SHA-1: 34318e51fcb7d194d79274f8aa8ef6f2c514a3ec SHA-256: a86b38b57ac981be0b97c3ac7fe177eb0596c8f8fab47ee4da1c51eb3468c34c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm or SEO manipulation tactic, as flagged by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection further supports its malicious nature, identifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample, and the document body content is heavily corrupted and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrgn.marketing/uploads/1/3/0/5/130589054/4867e3dc.pdf
    • http://plutonemprise.com/uploads/1/3/0/5/130551518/8840837.pdf
    • http://scrubs2love.org/uploads/1/3/0/7/130776182/84cb5007c7bd16.pdf
    • http://www.printerpie.net/uploads/1/3/0/2/130273623/5097777.pdf
    • http://bestlimoservicelosangeles.net/uploads/1/3/0/3/130312980/b8b0a381329.pdf
    • http://bakedbounties.com/uploads/1/3/0/7/130775379/1423208.pdf
    • http://collegeeducationonline.net/uploads/1/3/0/7/130738675/5391510.pdf
    • http://mrdombaza.com/uploads/1/3/0/7/130776157/885374.pdf
    • http://militarypromos.net/uploads/1/3/0/7/130776812/sivaj.pdf
    • http://ayyamouvement.org/uploads/1/3/0/7/130775726/9307518.pdf
    • http://groovymoney.com/uploads/1/3/0/2/130287311/6215dd216.pdf
    • http://caseygerber.com/uploads/1/3/0/5/130551129/9542dc7b55.pdf
    • http://www.soulrock.org/uploads/1/3/0/3/130313230/nimefuvazatoz-masuzogam-wanadexogirabom.pdf
    • http://nancyhamiltonmyers.com/uploads/1/3/0/6/130604948/9318193.pdf
    • http://collectifcontraceptionliege.com/uploads/1/3/0/6/130622023/0af90477d4381.pdf
    • http://condo-photography.com/uploads/1/3/0/6/130604556/nimujugabaxage.pdf
    • http://sta-66-99-58-203.ladse.org/uploads/1/3/0/6/130604243/130604243.html#act+5+scene+8+summary+macbeth
    • http://collegeeducationonline.net

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e94.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E94 16036 bytes
font_01_sfnt_off000065c4.bin
6e675769359379918be703d94e25d126315268af8c620c033d04a28627b39f84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C4 7944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.