Malicious PDF — malware analysis report

Static analysis result for SHA-256 c364c7ab2e217999…

MALICIOUS

PDF

35.3 KB Authoring application: SWFTools
MD5: 90a4978e336fcc0bc99ae2034fdd6645 SHA-1: 38c3d785bdff35e132525171cf8bead7b3f69c40 SHA-256: c364c7ab2e217999242fb11e3b8b927b54d2d3bcedbe297106ddf4c2c544f089
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and a large number of external links, identified as a link farm, suggesting a phishing or malware distribution attempt. The document body text, though partially corrupted, mentions 'Cash flow analysis template free' and includes phrases like 'make life easier', indicating a lure. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection purpose. The embedded links are likely used to redirect users to malicious sites or download further payloads.

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mynirvani.com/uploads/1/3/0/3/130379368/1faf5e.pdf
    • http://atlautodetailing.com/uploads/1/3/0/7/130775939/fumixamag_nekopoxija_jivupimi_mutadegazapele.pdf
    • http://ohmysolehelena.com/uploads/1/3/0/6/130621805/8d363db3ee.pdf
    • http://ajoyfulword.com/uploads/1/3/0/6/130621751/4334504.pdf
    • http://mynukshuk.com/uploads/1/3/0/4/130483540/rarutazutovawi-nalewazuwumar.pdf
    • http://wearepinball.com/uploads/1/3/0/4/130483852/5812254.pdf
    • http://meredithbirrell.com/uploads/1/3/0/7/130776201/130776201.html#cash+flow+analysis+template+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010e2.bin
618db14a291d88caf7323feef666fad7f8e16c7f7fc02728c5e886a5cee968d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E2 7932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.