Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6592a3b2f64a53e…

MALICIOUS

PDF

58.6 KB Authoring application: SWFTools
MD5: 4807b5c9def63f5f5893cfb90ca1d123 SHA-1: 8c1c53e340ffbe526047c12041c7d05adaeeb88c SHA-256: c6592a3b2f64a53e73da9ccf1209927d0bfe29056c275bc47386851576825ed2
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, which is indicative of SEO manipulation or a phishing campaign. The document body, though partially obfuscated, mentions 'Seventh day adventist lesson quarterly' and includes several URLs pointing to PDF files, reinforcing the lure. The SE_CALLBACK_LURE heuristic suggests a potential callback phishing or tech-support scam context, further supporting the malicious intent of directing users to external resources. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://principalwebmarketing.com/uploads/1/3/0/5/130588513/sixamaj.pdf
    • http://myfureverfrenchie.com/uploads/1/3/0/4/130483863/c0cff.pdf
    • http://effectivedistrict.com/uploads/1/3/0/2/130289320/3442557.pdf
    • http://mialombardo2020.com/uploads/1/3/0/6/130621989/def3822ac210.pdf
    • http://nancywijnants.com/uploads/1/3/0/3/130323510/refegi.pdf
    • http://pwcatl.org/uploads/1/3/0/5/130546543/vuwulebigedikutum.pdf
    • http://beingself-centered.com/uploads/1/3/0/6/130621942/130621942.html#seventh+day+adventist+lesson+quarterly

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001133.bin
78b59fc8fbba1ecc68c47a76914b12c814e08026da0c8de8581a29355a7fb8d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1133 9388 bytes
font_01_sfnt_off0000970b.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x970B 2652 bytes
font_02_sfnt_off00009fda.bin
8e79e6f40449bce11010868496ff806dc7d5faab648b4a9baf63b9dd17e2b45d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FDA 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.