Malicious PDF — malware analysis report

Static analysis result for SHA-256 c81d6fd41c8940c9…

MALICIOUS

PDF

39.9 KB Authoring application: QPDF
MD5: d4b7a7ffc06bed3b8a7306fd78cc4f59 SHA-1: 5a1b41a7dc8eecc1f196634da03cb14e2e17448e SHA-256: c81d6fd41c8940c90f019c16508e67cdcba3c5bd346bb43833333e4222f9c9eb
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to other PDF files, indicative of a link farm. This is further supported by the 'SE_INVOICE_LURE' heuristic, suggesting a deceptive intent. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' confirms its malicious nature. No scripts were extracted, but the primary attack pattern involves directing users to a network of external links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mosimannlab.com/uploads/1/3/0/6/130620384/9348255630b6.pdf
    • http://colormefitmd.com/uploads/1/3/0/7/130740092/e3bfb.pdf
    • http://carnesupremabrangus.com/uploads/1/3/0/6/130639205/6ede99d0fb.pdf
    • http://official-brands.com/uploads/1/3/0/2/130287847/xusaguz_zidavasajage_zoruzowet.pdf
    • http://calyculin.com/uploads/1/3/0/3/130323187/3964619.pdf
    • http://natashafine.com/uploads/1/3/0/6/130604765/xekosisokijazib.pdf
    • http://ebbandflood.net/uploads/1/3/0/6/130620521/nufukujeverobima.pdf
    • http://tccstories.com/uploads/1/3/0/5/130551302/gusame-rerumisazi.pdf
    • http://mlwolters.com/uploads/1/3/0/4/130476747/1488599.pdf
    • http://xuxurubije.ktosvoboden.com/uploads/2020/01/28/diwazofir-sonaniwedibug-wuvudubudaxis-luvuwopaviv.pdf
    • http://fel.kaknetb.pro/uploads/2020/01/28/fb9d72a5d4eeda6.pdf
    • http://mikeintucson.com/uploads/1/3/0/8/130814830/130814830.html#california+secretary+of+state+statement+of+information

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012a8.bin
763a55d0f69592df3b164f34df740d80b747df5b6bc499cf5fb0e50d5a9e4a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A8 7548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.