Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1d4823b3f603cb2…

MALICIOUS

PDF

36.5 KB Authoring application: SWFTools
MD5: 7fd603b289f509f523ec3e5457cb9bd9 SHA-1: d66a5fe933920088aa18e33db19b7b23794c5403 SHA-256: b1d4823b3f603cb2089acb6ee593f7d60fe0fee7546e4b3a1a94db7eda2de661
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or redirect users to potentially malicious websites. The SE_CALLBACK_LURE heuristic also indicates a phishing or scam attempt by prompting the user to call a number in a context of billing or security. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://viewmoral.com/uploads/1/3/0/2/130291822/71ce7eec0e.pdf
    • http://seanhisaka.com/uploads/1/3/0/6/130639854/tatarivi.pdf
    • http://val-lerieshairdesign.com/uploads/1/3/0/7/130775274/nixodubi-goruvozowezax-fedevezax.pdf
    • http://nakedtrackdays.net/uploads/1/3/0/2/130272994/3879269.pdf
    • http://thejuiceunion.com/uploads/1/3/0/5/130542902/ddfa61cf45ceac.pdf
    • http://southernarizonabds.org/uploads/1/3/0/5/130539002/gojudu-nanapozonobutu.pdf
    • http://harborlightsgrille.com/uploads/1/3/0/6/130620868/4b8c74a15ee.pdf
    • http://webmail.dicksonarchitecture.com/uploads/1/3/0/7/130776073/zadabe.pdf
    • http://furniturelinkasia.com/uploads/1/3/0/7/130776674/916371.pdf
    • http://nicholemannion.com/uploads/1/3/0/6/130639741/forexogafu_tigapileziro_wusukegon_jegirotagupabas.pdf
    • http://www.gaiamjewellery.com/uploads/1/3/0/8/130874162/2132982.pdf
    • http://web4.pleasingfood.com/uploads/1/3/0/6/130639110/130639110.html#mi+airdots+pro+2+price+in+china

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003703.bin
ef57bca5c36c71147818dbf25d9dedef2410bdd77ab3a00224f1df5620c3887d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3703 8040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.