Malicious PDF — malware analysis report

Static analysis result for SHA-256 b21e0dc998c0d32f…

MALICIOUS

PDF

86.4 KB Authoring application: pstoedit
MD5: 656ddd2af589fbd66ac10b292640a89d SHA-1: 27440490136ea006f35b4031d37509261d2f4ee9 SHA-256: b21e0dc998c0d32fe111bd0867f0f3b33e7dc7f19be3b05c987a77cdc8523b1e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded external links, many of which follow a similar pattern of numeric or slug-based filenames within dated directories. This suggests a link farm or redirection scheme designed to lure users to potentially malicious content. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the immediate intent beyond the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tofawumat.woltag.com/uploads/2020/01/28/1786344.pdf
    • http://cuisineandspirits.com/uploads/1/3/0/6/130621305/zaxija-sedilerajopitun-gonaz-fenadifefota.pdf
    • http://nobuhotelmarbella.devsite-1.com/uploads/1/3/0/2/130271179/a38f152.pdf
    • http://aprendizajeactivobrumiel.com/uploads/1/3/0/8/130814205/3744711.pdf
    • http://bestjacksonbonding.com/uploads/1/3/0/5/130543418/15301.pdf
    • http://tylerdsmith.org/uploads/1/3/0/4/130488387/lowamamux-gibos.pdf
    • http://laurenobern.com/uploads/1/3/0/3/130313649/bivonixigodok.pdf
    • http://moirarogers.net/uploads/1/3/0/7/130739389/e49a0538e644781.pdf
    • http://treasureoftheandes.com/uploads/1/3/0/4/130436483/gogujedakodepusarute.pdf
    • http://myguillermofloresuagro.net/uploads/1/3/0/5/130589231/994231baabeb.pdf
    • http://shs2020.com/uploads/1/3/0/2/130288562/nifora_farobofediv_fusowajobobide.pdf
    • http://multistreams.com/uploads/1/3/0/6/130621640/130621640.html#marina+abramovic+the+artist+is+present+analysis

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001759.bin
56a735d1753b828e0261ef850e5221ed842c69cea210cc1e4d30f0fa620534d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1759 12916 bytes
font_01_sfnt_off00007569.bin
289a6186da0da51d7ceb6e56387d1db863cba7d5ed94561282dd229293510225		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7569 16592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.