Malicious PDF — malware analysis report

Static analysis result for SHA-256 bad0b3f1f8a98bb7…

MALICIOUS

PDF

43.6 KB Authoring application: PDFBox
MD5: 9c39f83846221df67df9b3748c8b82df SHA-1: 34222689577f289273bfc06a4e8bfd16b07856ca SHA-256: bad0b3f1f8a98bb7f4c5e2d66eebea6273a03f995e3252fb1531c63ca31328fd
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The SE_INVOICE_LURE heuristic suggests a phishing or scam pretext. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. The primary attack pattern involves directing users to a multitude of external PDF files, likely for malicious redirection or SEO spam.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mymlmbiz.com/uploads/1/3/0/5/130590122/lepogif.pdf
    • http://svreunion.com/uploads/1/3/0/5/130588894/b9ee4c3d50.pdf
    • http://lkradio.online/uploads/1/3/0/5/130588710/3777299.pdf
    • http://manufacturingcommunities.org/uploads/1/3/0/2/130273944/rujujibinin-lefowa.pdf
    • http://deborahdion.com/uploads/1/3/0/6/130603764/6358931.pdf
    • http://micabotanicals.com/uploads/1/3/0/3/130323754/xakupekorunese_tujupilodoguxo_viwabovune_tokegatovo.pdf
    • http://donmcqueenart.com/uploads/1/3/0/4/130478210/3178287.pdf
    • http://shotz.website/uploads/1/3/0/6/130621331/nejekubenip_tujofujusaroda_wazimolifox_nisol.pdf
    • http://victoriahunters.weebly.com/uploads/1/3/0/5/130546519/399bf3cd9.pdf
    • https://laxopovez.weebly.com/uploads/1/3/0/6/130604405/8a370ad98a1.pdf
    • http://salomonk.com/uploads/1/3/0/6/130639886/65f5564b50.pdf
    • http://petesfishtales.com/uploads/1/3/0/2/130270971/fa74d71.pdf
    • http://pjssnacks.com/uploads/1/3/0/5/130589083/sudafo-lagud-buzox-sidigogupumi.pdf
    • http://keshashouseoftranquility.com/uploads/1/3/0/4/130489275/xinivexenelurugax.pdf
    • http://myoregonterritory.net/uploads/1/3/0/4/130483811/bavope_pagez.pdf
    • http://adavisportfolio.site/uploads/1/3/0/3/130323285/raxikudutawem_zikudepi_gamozakufiwa.pdf
    • http://faring8.net/uploads/2020/01/29/110566.pdf
    • http://biztriage.com/uploads/1/3/0/3/130313700/vamifafadazuxu.pdf
    • http://designbycarollea.com/uploads/1/3/0/4/130488486/8b1cb5cdf.pdf
    • http://moveupwithus.net/uploads/1/3/0/4/130488229/temibe.pdf
    • http://fowu.tatiana-morozova.ru/uploads/2020/01/29/a5943602.pdf
    • http://npsvs.com/uploads/1/3/0/3/130323422/roraruxewunaguze.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/4/130483413/130483413.html#htc+order+tracking

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016ef.bin
5f49aaff873dc121aa0a54ed73992ce69b0946349538d6ba89bb116edf78eac8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16EF 9116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.