Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb7e6983df0a13a2…

MALICIOUS

PDF

87.3 KB Authoring application: Inkscape
MD5: e04745f5968945e3f9b3c4540fe8c92d SHA-1: 287c02376b45fdbca64047a267d7f76d39a1467c SHA-256: cb7e6983df0a13a2b7c4e2c8b111c0c0c2040ffc57c3c49ae1fce216b9fab529
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains a large number of external links, many of which appear to be part of an SEO link farm, suggesting a malicious intent to drive traffic or host malicious content. The 'SE_CALLBACK_LURE' heuristic indicates the document prompts the user to call a phone number, a common tactic in callback phishing and tech-support scams. ClamAV also detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted, but the embedded URLs and heuristics strongly suggest a phishing or scam campaign.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://biztriage.com/uploads/1/3/0/3/130323445/6264956.pdf
    • http://dilutebuso.funblog.online/uploads/2020/01/29/natin_gefamuxiw_kagep.pdf
    • http://easyvoxbox.net/uploads/1/3/0/7/130739470/tazodipiselokujuj.pdf
    • http://onetopshot.site/uploads/1/3/0/2/130291449/jexuwuwugeje.pdf
    • http://meridiancorporatecenter.com/uploads/1/3/0/6/130639471/sofigagojike-medeguz-wilexelu-rajir.pdf
    • http://cesartechnologiesltd.com/uploads/1/3/0/6/130621721/3141369.pdf
    • http://miracleinabucket.com/uploads/1/3/0/6/130621880/174182.pdf
    • http://crxo.com/uploads/1/3/0/5/130589267/funidosebiv.pdf
    • http://pageappliance.net/uploads/1/3/0/6/130620861/kajuweje.pdf
    • http://noblecountylibrary.com/uploads/1/3/0/5/130539295/bulamerajubaliwewajo.pdf
    • http://veronicaasorey.com/uploads/2020/01/28/legatubimut.pdf
    • http://votebyronmartin.com/uploads/1/3/0/6/130604715/630912.pdf
    • http://northernrailleaders.com/uploads/1/3/0/5/130545011/130545011.html#green+river+wy+fishing+report

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001579.bin
07da22e6f22023be265d5a8fc6426410233470c6ba8e7243650651621397d0b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1579 8872 bytes
font_01_sfnt_off0000924a.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x924A 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.