Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9a2b36093fbcab2…

MALICIOUS

PDF

37.5 KB Authoring application: PDFBox
MD5: ae179edd4ea06493034632f99bee956d SHA-1: 46f98c4c3b2dd6e03504777009681691247c83c4 SHA-256: c9a2b36093fbcab2ae229ec4e35c8165be3a4354e8ba586ee08ca90bb6064193
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, identified by the PDF_SEO_LINK_FARM heuristic, which is a common technique for distributing malicious content. The ClamAV detection further confirms its malicious nature, specifically flagging it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs likely lead to further stages of infection or phishing attempts.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrsjdodds.com/uploads/1/3/0/2/130287407/eaf147.pdf
    • http://dp360crrn.com/uploads/1/3/0/5/130540814/6dbc845b4816dc.pdf
    • http://nadinesteklenski.com/uploads/1/3/0/5/130543353/2177323.pdf
    • http://mjvsms.ca/uploads/1/3/0/4/130478160/piroluvavuxuwufamob.pdf
    • http://adabookkeepingservices.com/uploads/1/3/0/4/130476244/0e4e9150f4.pdf
    • http://35andunder.com/uploads/1/3/0/5/130588417/2867888.pdf
    • http://leapfrogcamo.ca/uploads/1/3/0/4/130490421/2630279.pdf
    • http://bshk.hklss.hk/uploads/1/3/0/5/130550953/7003231.pdf
    • http://sharedtravel.voyagerwebsites.com/uploads/1/3/0/4/130490151/130490151.html#alter+ego+a1+audio+download

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001123.bin
b252cadf3d10bc55cb1f7ca89b5675fe4863940f0201ba199aee5e305abde4b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1123 8328 bytes
font_01_sfnt_off00004743.bin
34946728d79031c77a6a56b812733eebc894009bf81e99b5bb39031b59fb05ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4743 17544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.