Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2f8498eb5057684…

MALICIOUS

PDF

39.7 KB Authoring application: SWFTools
MD5: 070e75e76acbc77d5e3a29dc4e833dc9 SHA-1: b6d9c509fd8c4159c1f0ac7c2b4fc4cb51dbec93 SHA-256: b2f8498eb5057684c48eeac361fb822220d8597bbc2f654af5499b516d0314ac
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO or traffic redirection. The document body explicitly mentions Aadhaar card download and includes multiple URLs, indicating a phishing lure. The 'SE_MFA_LURE' heuristic strongly suggests the intent is to harvest credentials or abuse multi-factor authentication. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sylvainetlesfilles.com/uploads/1/3/0/2/130287938/1231312.pdf
    • http://skylarktrustbank.com/uploads/1/3/0/6/130620968/9136339.pdf
    • http://sprintmoney.net/uploads/2020/01/29/5533475.pdf
    • http://bearsvsbabiesgame.net/uploads/1/3/0/4/130478481/koraroripujezo.pdf
    • http://b-24-thegreenhornet.net/uploads/1/3/0/2/130273798/9936067.pdf
    • http://mawami.pandora-sales.ru/uploads/2020/01/28/22d615749bd1.pdf
    • http://bradleygorman.com/uploads/1/3/0/6/130604690/6ad04438d30e237.pdf
    • http://roatansundowners.com/uploads/1/3/0/3/130323754/4681282.pdf
    • http://favefoto.com/uploads/1/3/0/2/130288768/1ba76c47a99.pdf
    • http://oakclass.com/uploads/1/3/0/5/130550888/130550888.html#aadhaar+card+download+by+enrolment+number

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011d2.bin
a25acfa8b97f954cffe908997530b52c9d98f3ceec0f8f4d33404653c05d4234		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D2 8312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.