Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb3f51fc85d31672…

MALICIOUS

PDF

45.1 KB Authoring application: Poppler-utils
MD5: 4688d2fc1eb10820f65258e24e772940 SHA-1: cae3dd43b211d306dde1db7698650cc278c712b2 SHA-256: cb3f51fc85d31672136a529b39bb32439519085f3e2beb155f9dff03dc8e58a7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicating a link farm likely used for SEO manipulation or to redirect users to phishing or malware sites. The primary heuristic firing, PDF_SEO_LINK_FARM, directly supports this attack pattern.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://icom.space/uploads/1/3/0/9/130969422/vasaza.pdf
    • http://bankheadboys.com/uploads/1/3/0/7/130739069/tutoli_vojilenig_rizowidokolok.pdf
    • http://beautybybfm.com/uploads/1/3/0/4/130489371/1220197.pdf
    • http://brhardwood.com/uploads/1/3/0/6/130620841/759138.pdf
    • http://babagoosh.com/uploads/1/3/0/6/130621488/fodeburakeb_ruranoda.pdf
    • http://www.buy.climbstation.com/uploads/1/3/0/4/130476921/rozipi.pdf
    • http://www.runbnb.net/uploads/1/3/0/4/130435927/3a77f26c88ddcb0.pdf
    • http://huangjiayulezhinan.br3h.com/uploads/1/3/0/5/130588596/6614958.pdf
    • http://clearcopmany.com/uploads/1/3/0/2/130288421/galojibekimep.pdf
    • http://mindhealthconnection.org/uploads/1/3/0/7/130740164/35094d3cedde91.pdf
    • http://www.cognacprevin.com/uploads/1/3/0/3/130312914/9087309.pdf
    • http://motorcityracing.shop/uploads/1/3/0/7/130776275/9783f.pdf
    • http://slimyapple.com/uploads/1/3/0/5/130590456/315043.pdf
    • http://meteorcrater.us/uploads/1/3/0/5/130551375/1118803.pdf
    • http://soselectrical.co.nz/uploads/1/3/0/4/130476068/1ed31322da2.pdf
    • http://www.ncssomerset.org/uploads/1/3/0/2/130272333/suvafop-wesixanamabiror-nodixuzimidu.pdf
    • http://74-123-75-26.mgwnet.com/uploads/1/3/0/7/130738603/130738603.html#acer+aspire+one+725-c7xkk

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003353.bin
646cc9e63298581fcd89936edf5119e31472a55f3322140fa5d0c44fc4a05f39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3353 12060 bytes
font_01_sfnt_off000055c6.bin
fc177a85670267f51a0f19eed7c556a8da3276ffd426bdddf77a10362c8a4a19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55C6 7608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.