Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbf3aa6c21d77c30…

MALICIOUS

PDF

51.9 KB Authoring application: Karbon
MD5: 86a8c8ddffd1198b67f33264c9ed5f59 SHA-1: faa8391167603e709ba7d866983fc1c921e2ad0a SHA-256: bbf3aa6c21d77c300330a6b62dc2d3e815494b4e6525bc0ab5fc3156cbe1e96d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO spam or to distribute malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious distribution intent. The document body itself is heavily obfuscated and does not provide clear textual lures, but the sheer volume of linked PDFs suggests a coordinated effort to drive traffic or deliver payloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rateurmp.com/uploads/1/3/0/2/130271004/katojoluteziso.pdf
    • http://meredithmorrisisawesome.com/uploads/1/3/0/6/130639675/8571712.pdf
    • http://www.stagingandremodeling.com/uploads/1/3/0/6/130620791/4475353.pdf
    • http://lashesbyalyssaabq.com/uploads/1/3/0/2/130288630/mavanugona-mapaxaseg-sufiwujako.pdf
    • http://banburymotortraders.com/uploads/1/3/0/5/130588162/xifuxurokobenu.pdf
    • http://sizemeplus.com/uploads/1/3/0/4/130489122/a8acc1b.pdf
    • http://buildingbiodiversity.club/uploads/1/3/0/7/130740624/8082817.pdf
    • http://speechtherapynorcal.com/uploads/1/3/0/3/130323342/winefejewiwamede.pdf
    • http://modimody.com/uploads/1/3/0/3/130323884/6633743.pdf
    • http://leanworkingcapital.com/uploads/1/3/0/5/130551418/3723739.pdf
    • http://www.selamat.fr/uploads/1/3/0/7/130739214/ffbee25645f.pdf
    • http://sexualharassmentlawsuit.com/uploads/1/3/0/6/130639114/diwikefog.pdf
    • http://propowerwashingllc.com/uploads/1/3/0/3/130323672/4166198.pdf
    • http://wallgears.com/uploads/1/3/0/4/130490155/7348731.pdf
    • http://minhavidaminhasescolhas.com/uploads/1/3/0/7/130739598/bokafatavadusa.pdf
    • http://firstprofessionalservices.com/uploads/1/3/0/6/130639929/telalenosujo.pdf
    • http://susanmastalsfoundation.org/uploads/1/3/0/6/130604283/373587.pdf
    • http://6jfes.slpny.com/uploads/1/3/0/4/130493893/130493893.html#zoo+animal+art+activities+for+toddlers

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010ff.bin
54955f07c3bd7aea77731f22f41fb530f27c20240de943b3148e86156b9815bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FF 8400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.