Malicious PDF — malware analysis report

Static analysis result for SHA-256 af7328f19935e236…

MALICIOUS

PDF

45.5 KB Authoring application: PDFBox
MD5: ccf310fb87b8a8ab93dfb83f0f5c2132 SHA-1: 93578ba36c57d50254494a0da7d376eedf9145c9 SHA-256: af7328f19935e236cedd63303932afc2bc108aea24482f06acae15815911bbfb
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with multiple links pointing to other PDF files hosted on various domains. The document body presents a fake 'Adventurer enrollment form' and includes urgency language, consistent with phishing lures. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary attack pattern involves luring the user to click on one of the embedded malicious links, likely to download a second-stage payload or harvest credentials.

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://genius-encel.agency/uploads/1/3/0/4/130483739/ed5522.pdf
    • http://comslib.org/uploads/1/3/0/6/130622058/jezujosititanun_likage_najapup_jilin.pdf
    • http://virginiaconcretepaving.com/uploads/1/3/0/6/130603865/7499134.pdf
    • http://quirkytowers.com/uploads/1/3/0/6/130604653/4243913.pdf
    • http://pleasuretron.com/uploads/1/3/0/3/130313127/kutemoxukasu.pdf
    • http://jacksonspit.com/uploads/1/3/0/5/130590525/a9a5d7f3065057.pdf
    • http://jeromesbistro.com/uploads/1/3/0/6/130639629/1f9d9d3a2.pdf
    • http://synapse-productions.com/uploads/1/3/0/5/130541356/9007197.pdf
    • http://williamsonautomotive.ca/uploads/1/3/0/5/130551021/rigor.pdf
    • http://mytryshyn.com/uploads/1/3/0/3/130313088/80ddac39.pdf
    • http://novelgardener.weebly.com/uploads/1/3/0/2/130272918/1471278.pdf
    • http://cfthomas.com/uploads/1/3/0/6/130639233/130639233.html#adventurer+enrollment+form

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e5.bin
318c88b661ec9afcb28b24417eb0dcd96527f389f0f58090ce1f18e8590c5dca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E5 9412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.