Malicious PDF — malware analysis report

Static analysis result for SHA-256 c493684168c73da0…

MALICIOUS

PDF

38.1 KB Authoring application: Smallpdf Desktop
MD5: 4be3e5ce987cf98982aa763053ab8f92 SHA-1: 221240ee3576d857f7b92204029d148c2ecb8bc5 SHA-256: c493684168c73da05b0b1c1d824cfe093d73193eb7ba5319b580d33a3cd0616f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicating a potential link farm or redirection mechanism. The document body contains fragmented text related to 'Arthroscopy recovery exercises' and includes numerous URLs pointing to PDF files hosted on various domains, suggesting a phishing or malicious content distribution scheme.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nharmonycastingandtalent.com/uploads/1/3/0/6/130621579/befiki.pdf
    • http://wazyshairsalon.com/uploads/1/3/0/5/130588501/vosudalawidawuxi.pdf
    • http://rootcausewellness.com/uploads/1/3/0/6/130605509/topuzodimeba_lurevix.pdf
    • http://mywhiteprivilege.org/uploads/1/3/0/4/130436458/b3c2d385721af61.pdf
    • http://argyllwinter.com/uploads/1/3/0/3/130324278/kimemuwira_rijujomisokezok.pdf
    • http://www.skywellness.org/uploads/1/3/0/3/130323522/7768a9ce4cbd847.pdf
    • http://www.snowyriverminiaussies.com/uploads/1/3/0/4/130488469/zemutujamovadunir.pdf
    • http://newyearsknockout.com/uploads/1/3/0/6/130621850/2050339.pdf
    • http://bballguru.com/uploads/1/3/0/4/130489467/78992069c6e.pdf
    • http://thearchitecturalgardendigest.com/uploads/1/3/0/4/130483986/lepini_gusugujif.pdf
    • http://godenergi.com/uploads/1/3/0/7/130775968/tutuj-balawesabex-ridagamuwajepaf.pdf
    • http://afsanehkhoramshahi.com/uploads/1/3/0/4/130476262/dafenaludaviga.pdf
    • http://michelemoddesign.com/uploads/1/3/0/4/130435673/sodudewimunaximof.pdf
    • http://play-doctor.anyball.info/uploads/1/3/0/5/130589199/zaxokekerarujofo.pdf
    • http://paulhobkirk.com/uploads/1/3/0/5/130550693/muxusot_gorugov_widilokukev.pdf
    • http://bjhmontgomery.com/uploads/1/3/0/7/130740563/ruxekatorol-wubumifez-jutemok-gefanobajasa.pdf
    • http://saferescuefordogs.com/uploads/1/3/0/5/130551417/divefigoluj.pdf
    • http://www.happily-ever-after.studio/uploads/1/3/0/6/130605358/a3ca106a475a.pdf
    • http://amicoffeecompany.com/uploads/1/3/0/2/130272932/vowimonojozoje.pdf
    • http://completefootballperformance.com/uploads/1/3/0/5/130552043/4238773.pdf
    • http://ocumoney.com/uploads/1/3/0/5/130551245/fazisut.pdf
    • http://tuxebase.com/uploads/1/3/0/2/130270847/3084919.pdf
    • http://nanasglitter.com/uploads/1/3/0/7/130776775/rodagazemeripal.pdf
    • http://unharness79.pleasingfood.com/uploads/1/3/0/8/130813146/130813146.html#arthroscopy+recovery+exercises
    • http://tuxebase.com/up

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032c1.bin
1ffb7da3eb49c099d5bbb9e416abcf26049b3bf6dd94cc8819a85a9037c3acf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32C1 7664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.