Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0ed34fd124fd945…

MALICIOUS

PDF

46.1 KB Authoring application: Solid Converter PDF
MD5: 426ed6347dcbfcfbcd834e35acc29f59 SHA-1: 879ffec4ec1f28188fa801bd065e2dc04c38689f SHA-256: c0ed34fd124fd9453846b108199f9016f78c2ba678f65ff5cdb71e75cd74b268
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents across various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://greenwoodproofreading.com/uploads/1/3/0/6/130604606/8554399.pdf
    • http://eireneathens.com/uploads/1/3/0/5/130539926/2285625.pdf
    • http://michiganhomebuyingcenter.com/uploads/1/3/0/8/130874019/2b559d.pdf
    • http://snappornity.com/uploads/1/3/0/4/130483428/nibutagafegakiduvite.pdf
    • http://studentsandcollege.com/uploads/1/3/0/5/130590142/5522040.pdf
    • http://embedded-tdd.com/uploads/1/3/0/6/130621293/82f20eea8dd.pdf
    • http://synergysoundltd.com/uploads/1/3/0/6/130620823/lifojijugavu.pdf
    • http://argamaprints.com/uploads/1/3/0/4/130435546/mavejukuk.pdf
    • http://adrianleeproperty.com/uploads/1/3/0/6/130639875/dupurixu.pdf
    • http://theelfbox.com/uploads/1/3/0/4/130483852/130483852.html#cephalosporins+and+penicillin

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a2.bin
2244398aee7a5d8de83f05ed026bcd0bc99b1bddfa0a11384b969b3a16cd5ec3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A2 8000 bytes
font_01_sfnt_off00006121.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6121 2864 bytes
font_02_sfnt_off00006af8.bin
45914d942225f75aeab2ad19c645749f4cb35b34e6477fd3b9de84f3f27f6feb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AF8 16732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.