Malicious PDF — malware analysis report

Static analysis result for SHA-256 c804df29c41623f8…

MALICIOUS

PDF

39.0 KB Authoring application: Smallpdf Desktop
MD5: ffcacc74bef79bc88e3e7261d7ba6441 SHA-1: 64476ad9085e9e83c2191e34d19d1ad089ca5c96 SHA-256: c804df29c41623f89dec19ee9c4f09e5804f7a0e97fd0f77be42a88567134d74
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. The critical heuristic 'PDF_SEO_LINK_FARM' confirms the presence of 31 external links, many of which point to PDF files hosted on various domains. This suggests a link farm designed to lure users to potentially malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bigchobiband.weebly.com/uploads/1/3/0/3/130313024/61abba0e682fef6.pdf
    • http://113366.co/uploads/1/3/0/5/130539108/rusij.pdf
    • http://ps173q.com/uploads/1/3/0/4/130488498/xulewe.pdf
    • http://myrole.io/uploads/1/3/0/2/130287815/fumisumig.pdf
    • http://moderngentlemanacademy.com/uploads/1/3/0/6/130621619/119153.pdf
    • https://nibubabo.weebly.com/uploads/1/3/0/5/130588205/rilanomojedokubagiji.pdf
    • http://zowaj.lernposter.club/uploads/2020/01/29/7508098.pdf
    • http://eclectic-kids.com/uploads/1/3/0/6/130620997/lonazikit.pdf
    • https://zuzavunolusopi.weebly.com/uploads/1/3/0/5/130544541/2661818.pdf
    • http://newneonaslimm.com/uploads/2020/01/28/madutoxez.pdf
    • http://susu.token-movil.com/uploads/2020/01/28/aeeb8d718d6e8.pdf
    • http://radicalartisticdesigns.com/uploads/1/3/0/2/130288401/supako-wofotorugesaf.pdf
    • http://360teamllc.com/uploads/1/3/0/6/130603676/a6330c7fbb.pdf
    • http://fofefevuzu.rucoolcash.xyz/uploads/2020/01/29/mewupelevukosus.pdf
    • http://wozi.insnet.ru/uploads/2020/01/28/dajipa-rulabukiwalima-xiwowutunu-zalorefubofu.pdf
    • http://onewesterra.com/uploads/1/3/0/5/130588936/6ebd626.pdf
    • http://kobeposud.oknarkm.ru/uploads/2020/01/28/pukubogo_volefipupat.pdf
    • http://mawitechsupport.com/uploads/1/3/0/6/130621257/bb26d9693.pdf
    • https://kexukara.weebly.com/uploads/1/3/0/6/130603803/86dcb0f8b7788.pdf
    • http://simonepaganelli.com/uploads/1/3/0/2/130271211/pezef_ligorasalaw_xikavufixix_bipujobazu.pdf
    • http://stokesed508webpage.com/uploads/1/3/0/5/130546385/130546385.html#first+man+curiositystream+free

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015af.bin
81606d00dd50a7f2581eb9ddc113654056663bb57ce1bdb9f14b65554d915bf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15AF 7528 bytes
font_01_sfnt_off000050c1.bin
af19efb7a9162253415e60a41a822d39fca3be1f9d7a7d9fc69485b6262265ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50C1 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.