Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6d70402a839c3bb…

MALICIOUS

PDF

36.9 KB Authoring application: Karbon
MD5: bca35d0ba491275c04045f1880cc8785 SHA-1: 391efd9823bfbfa50765b77d5bc1326d57d62296 SHA-256: c6d70402a839c3bba0c6032f2d0ca93a7aea28ac50790f15e5952f19e8baabb2
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though partially corrupted, mentions a 'Hollard funeral cover' and includes urgency language, suggesting a phishing or scam lure. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious intent related to phishing and traffic redirection.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drome-provence-gite.com/uploads/1/3/0/5/130545800/9559325.pdf
    • http://columbusstagingcoach.com/uploads/1/3/0/5/130588503/d803d11.pdf
    • http://customcateringco.com/uploads/1/3/0/6/130621045/ligub.pdf
    • http://tinker-shire.com/uploads/1/3/0/2/130289510/fiwes_subuvabo.pdf
    • http://alpinecbd.co/uploads/1/3/0/3/130379447/kesimuruwodev-dakof-dosusomujar.pdf
    • http://nolastrongmovers.com/uploads/1/3/0/4/130490421/8816545.pdf
    • http://5pointauto.com/uploads/1/3/0/4/130476054/bd2bbdc3a5a5d0e.pdf
    • http://priyabery.com/uploads/1/3/0/2/130270953/6182746.pdf
    • http://adidasdeadstockmarketplace.com/uploads/1/3/0/7/130739538/4626131.pdf
    • http://mezzosoprano.site/uploads/1/3/0/8/130874153/jixolefe-zeroxer-gawivunef.pdf
    • http://ericmukadesign.com/uploads/1/3/0/8/130873782/a945bc0c.pdf
    • http://tiddlywikitips.com/uploads/1/3/0/4/130435638/3529891.pdf
    • http://mindfulevolution.net/uploads/1/3/0/5/130543656/8953654.pdf
    • http://triplelpaintingrenovation.org/uploads/1/3/0/4/130435755/952588.pdf
    • http://ciumontreal.com/uploads/1/3/0/8/130813490/lidojepeserubev.pdf
    • http://tahoesierracleanair.info/uploads/1/3/0/2/130288401/18e4c7c6b3334.pdf
    • http://adjustablebedinabox.com/uploads/1/3/0/4/130489001/c3603957ab9.pdf
    • http://a8yulechengzuixingonggao.br3h.com/uploads/1/3/0/4/130476013/130476013.html#hollard+funeral+cover

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032e6.bin
b95921e50a022262abcf812770a06c6381ab1e26b75c35d23162f0de63da0845		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32E6 8128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.