Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb4ce3ed3eec6ebc…

MALICIOUS

PDF

36.9 KB Authoring application: Adobe PDF Library 9.0
MD5: 7bc7687ce5383255e16d29f5601fff58 SHA-1: ecc1f22e0faa585b83a593ed92db824ce2dcadec SHA-256: cb4ce3ed3eec6ebce436202c6db3ee1bc15211f6cc8f3ad9dc8dfb61a1fac5db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or a distribution mechanism for further malicious content. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to phishing or traffic redirection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nimbleelephantnavigation.com/uploads/1/3/0/6/130639030/e147f295b9dd.pdf
    • http://backhanal.com/uploads/1/3/0/5/130588607/jenonafasixedol.pdf
    • http://beautybyellav.com/uploads/1/3/0/7/130775961/7394406.pdf
    • http://optronics.us/uploads/1/3/0/5/130551141/newurudimolak.pdf
    • http://babyfreebies2020.com/uploads/1/3/0/6/130621909/pajitezixuv.pdf
    • http://elev8catering.com/uploads/1/3/0/4/130476798/depulamoridima.pdf
    • http://rogersbellappleiphonereadreceiptssamsung.com/uploads/1/3/0/6/130620791/c3caee805ffa.pdf
    • http://healthyhomesindex.com/uploads/1/3/0/2/130288498/devopowelakum.pdf
    • http://coreforza.com/uploads/1/3/0/4/130435938/nasasasewogaf.pdf
    • http://instituteforreikistudies.com/uploads/1/3/0/8/130874582/6074848.pdf
    • http://devatacircle.org/uploads/1/3/0/6/130620845/sujuzizop.pdf
    • http://mandyowen.net/uploads/1/3/0/6/130621706/dd8273758846aa.pdf
    • http://getsolution.ca/uploads/1/3/0/3/130324063/6387287.pdf
    • http://www.kaixxa.emprisdurden.com/uploads/1/3/0/6/130639380/mefud-demelewanomave.pdf
    • http://neeshazollinger.com/uploads/1/3/0/8/130814993/vetesakorofepofu.pdf
    • http://terminal3.net/uploads/1/3/0/6/130603956/505772.pdf
    • http://lavishtravels.org/uploads/1/3/0/6/130639178/130639178.html#grade+5+math+worksheets+pdf
    • http://getsolution.ca/uploads/1/3/0/3/130324063/63872

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002a01.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A01 2652 bytes
font_01_sfnt_off00003599.bin
9ee6a78b30db0aadb8b886cd94f389456f2133f6f31e7fb1afd8089778e2fdc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3599 7468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.