Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1632d15bbd0a2d8…

MALICIOUS

PDF

34.2 KB Authoring application: ImageMagick
MD5: 705582632fead461a0552591dfce6890 SHA-1: 3d811e9b1285498b91fa1a3aa3df51230457d583 SHA-256: b1632d15bbd0a2d8dfefdaeed950eddbef42a5b38b0cd6e1c31df57b8cdb916f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains a large number of embedded URLs, identified as a link farm. This technique is often used to manipulate search engine rankings or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious distribution intent. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drpatty.net/uploads/1/3/0/8/130814492/jupipog.pdf
    • http://icbrconference.org/uploads/1/3/0/6/130603900/xunejoralosop-jituzi.pdf
    • http://approachableworld.com/uploads/1/3/0/3/130313585/6935100.pdf
    • http://prouni2025.com/uploads/1/3/0/4/130479008/6143100.pdf
    • http://shepherdsvoicecounselors.org/uploads/1/3/0/2/130270866/kepesufusisej-bemunuge-fubavemi.pdf
    • http://itsjusmikeymusic.com/uploads/1/3/0/4/130476747/rugeno.pdf
    • http://falconfoodmart.com/uploads/1/3/0/7/130740597/xasafadunugib.pdf
    • http://jurandirsilva.com/uploads/1/3/0/3/130324011/2f2bb9679103085.pdf
    • http://mybabyfreebies.com/uploads/1/3/0/4/130476395/1367734.pdf
    • http://joshuachi.net/uploads/1/3/0/2/130287295/tosegup_letajipore.pdf
    • http://euroaudiparts.com/uploads/1/3/0/7/130739444/dikoruduted.pdf
    • http://canprorx.com/uploads/1/3/0/6/130620750/fulopatipi.pdf
    • http://smgoldrup.com/uploads/1/3/0/4/130483351/paxaga.pdf
    • http://neicinkullanilir.net/uploads/1/3/0/7/130775700/3313524.pdf
    • http://dreamasweetdream.com/uploads/1/3/0/4/130476322/suxufoja-geronulo-fapuwoxikemev-watisavisidul.pdf
    • http://lilymere.com.au/uploads/1/3/0/6/130620616/e58ab0a45b8ea7.pdf
    • http://tcsis.co.uk/uploads/1/3/0/5/130547405/8888517.pdf
    • http://moldinspectalbany.com/uploads/1/3/0/5/130550890/9927792.pdf
    • http://studentshufur.net/uploads/1/3/0/4/130478057/6bf411045bb8e.pdf
    • http://shop.bigstuf.com/uploads/1/3/0/7/130739535/vomubojaxareninot.pdf
    • http://oojoandbink.com/uploads/1/3/0/7/130740551/fagutaferer.pdf
    • http://mingshengyulechengxianjinbaijiale.br3h.com/uploads/1/3/0/7/130740142/130740142.html#adverb+phrases+of+reason+exercises
    • http://shop.bigstuf.com/uploads/1/3/0/7/13

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002687.bin
f63c9b3bddd1f07a6f27d7ca239f3a1f5886e2e56f4f7b337a0396ce8c1c398a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2687 7356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.