Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d4a85969faea6c…

MALICIOUS

PDF

37.2 KB Authoring application: Pdftk
MD5: 20cc61fc0f63eed6ffdefdbdb99994d8 SHA-1: b4e5a0a8a1481d4a9d7debc4c3cbfb89029e0664 SHA-256: c5d4a85969faea6c1d7a43762b19233fc3afc11315a3f9fa375b9df3e8bacc37
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a tactic to drive traffic to malicious or SEO-manipulated content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious intent. The document body is heavily obfuscated and does not provide clear textual lures, but the presence of a 'SE_DOWNLOAD_BUTTON' heuristic indicates a potential call-to-action for the user to download further content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brookity.org/uploads/1/3/0/5/130551991/likuban-woxegezexeze-dosetavuz.pdf
    • http://millerschoolmaster.com/uploads/1/3/0/5/130551115/8250622.pdf
    • http://millerforcommissioner.org/uploads/1/3/0/6/130604336/844d0.pdf
    • http://themindtrainerhypnosis.com/uploads/1/3/0/6/130620240/pevemedipepuwasik.pdf
    • http://modtran8.net/uploads/1/3/0/5/130588620/zuzomebono.pdf
    • http://mintofarm.ca/uploads/1/3/0/5/130541116/a0c256fc446a8a0.pdf
    • http://nhrealestate.org/uploads/1/3/0/6/130603989/merepesor.pdf
    • http://www.cezair.com/uploads/1/3/0/6/130640010/ea48d272.pdf
    • http://eventsnewmexico.com/uploads/1/3/0/5/130539102/8521169.pdf
    • http://myonebighappyphotography.com/uploads/1/3/0/2/130272362/9000433.pdf
    • http://danielscotthunt.com/uploads/1/3/0/6/130639733/b826d3e04.pdf
    • http://spicysnack.com/uploads/1/3/0/5/130589014/jepusafekifubize.pdf
    • http://jwallach.net/uploads/1/3/0/5/130588216/6ccb53dffb2d7.pdf
    • http://healingwatersrvpark.com/uploads/1/3/0/6/130605325/7171736.pdf
    • http://jakejelicich.com/uploads/1/3/0/8/130814763/kojekikawiden-jaluxuke-zukitini.pdf
    • http://mehners.com/uploads/1/3/0/5/130589020/6631427.pdf
    • http://74-123-72-107.mgwnet.com/uploads/1/3/0/5/130588809/130588809.html#sumif+function+in+excel+pdf
    • http://modtran8.net/uploads/1/3/0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003328.bin
58f745c8aacf74f52274e7facfdaa82d60de4af5ae117990fd3800e2e1d7ec1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3328 8816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.