PDF malware analysis — malicious · cc39ac0885ba9bd3

MALICIOUS

PDF

40.8 KB Authoring application: GIMP

MD5: 4cef45a6cf3fccb43b4e976b684babea SHA-1: e407d21d51ffa6ef9a2872bad077c955b66975d1 SHA-256: cc39ac0885ba9bd367d8f4a7b62175bc8952d26e77207553e51b9fae2a828f1c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The SE_CALLBACK_LURE heuristic and the presence of embedded URLs indicate a phishing or scam attempt, likely to trick users into visiting malicious sites or providing sensitive information. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.thecriticaldiner.com/uploads/1/3/0/7/130775748/6933863.pdf
- http://webmail.cuisinierssansfrontieres.org/uploads/1/3/0/9/130969478/nolotebalijiwago.pdf
- http://attorneyspacesharing.com/uploads/1/3/0/6/130620666/f51e95b30eba08.pdf
- http://sealavienj.com/uploads/1/3/0/6/130621965/divan_zisuziwiw.pdf
- http://letterstohillaryrc.com/uploads/1/3/0/6/130639768/fdc43a945167.pdf
- http://www.target.jropro.com/uploads/1/3/0/4/130475938/xekurusidab_zitafunokisipe_sowigimimo.pdf
- http://feltygolf.com/uploads/1/3/0/6/130604102/5071393.pdf
- http://reparaton.net/uploads/1/3/0/6/130621786/084b22195dc93.pdf
- http://hostmaster.petsumo.com/uploads/1/3/0/7/130740249/lolizitivosoxililili.pdf
- http://mymountains.fr/uploads/1/3/0/7/130739690/16506c8ff38a.pdf
- http://ajhollowayministries.com/uploads/1/3/0/6/130604525/8930005.pdf
- http://hallsvilledentist.com/uploads/1/3/0/7/130775378/f81c6.pdf
- http://www.anchor-presbyterian.org/uploads/1/3/0/6/130605028/c0f662aa1b.pdf
- http://burgconstruction.net/uploads/1/3/0/7/130738525/bodafitodako.pdf
- http://mta-sts.mail.evelynsander.com/uploads/1/3/0/5/130589416/nusibime-davunez.pdf
- http://easycarssale.com/uploads/1/3/0/6/130605435/4106752.pdf
- http://www.sonicwavecreative.com/uploads/1/3/0/5/130589207/5090322.pdf
- http://thenewdiligence.com/uploads/1/3/0/6/130604452/970257.pdf
- http://crownemarketgroup.com/uploads/1/3/0/4/130483117/joviwidojezera.pdf
- http://www.skylarktrustbank.com/uploads/1/3/0/7/130739751/ramazekenofe.pdf
- http://howlingmoonfox.com/uploads/1/3/0/3/130313049/lulaz.pdf
- http://www.laxxcbd.com/uploads/1/3/0/4/130476047/lagijiluzagureke.pdf
- http://stgeorgecountrydancing.com/uploads/1/3/0/5/130538937/cd9080.pdf
- http://beverly-curry.pleasingfood.com/uploads/1/3/0/7/130739619/130739619.html#formula+of+mean+in+statistics+for+grouped+data
- http://mta-sts.mail.evelynsander.com/uploads/1/3/0/5/130589416

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00003b99.bin` `183d8d7e91e766e2fd9522465356a5fc2dac58cc7e78e361f414867ba496ea7d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3B99	8428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.