Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccbed631942ceff2…

MALICIOUS

PDF

97.7 KB Authoring application: Smallpdf Desktop
MD5: c649290cd00044522ab70097aa02ed9a SHA-1: b2b4a982fcad08e2fc1273b574d240da71b62f1c SHA-256: ccbed631942ceff2ac554dea353f3a4352dd278e0a7ad535777d85102fcf69bc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a malicious intent to redirect users to potentially harmful content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection campaign. No scripts were extracted, and the document body was unreadable, but the link farm and ClamAV signature are strong indicators of malicious activity.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fitissexy.net/uploads/1/3/0/5/130545327/464253.pdf
    • http://foodangels.org.uk/uploads/1/3/0/5/130540795/menubisevawak_bevezegavum.pdf
    • http://www.timbercreekcustomhomesga.com/uploads/1/3/0/7/130775472/daluxu.pdf
    • http://invite-change.com/uploads/1/3/0/6/130604292/wobival-kevovupubim-selovivuboda.pdf
    • http://theroachwarren.com/uploads/1/3/0/6/130604823/xodufuwege.pdf
    • http://www.bridgetonindexportfolios.com/uploads/1/3/0/4/130435943/bilenazivur-mivulap-judunajuxuv.pdf
    • http://morrisadvohealth.com/uploads/1/3/0/6/130621689/gitaparu.pdf
    • http://mywrappingco.com/uploads/1/3/0/2/130270966/teruk.pdf
    • http://halobook.com/uploads/1/3/0/6/130640003/e8ab1108061.pdf
    • http://cascadeinvestor.com/uploads/1/3/0/7/130739474/6234141.pdf
    • http://cosmic-rockbooklets.com/uploads/1/3/0/5/130551229/2384006.pdf
    • http://chloral21.pleasingfood.com/uploads/1/3/0/5/130540176/130540176.html#esc+nstemi+guidelines+2017+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006de8.bin
915baeb1e29b1296448dc25187851e9706b77add1d29a836586dd6d4826066cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE8 2600 bytes
font_01_sfnt_off0000769d.bin
d3eeb6768c80348749d7e74ab3dbdf8e147d040e3f32e934073d6620268d7059		 pdf-font-stream PDF embedded font (sfnt) at offset 0x769D 16220 bytes
font_02_sfnt_off00008f1a.bin
04f8faaab823f75121c2388338d4858cebf08bb6b9381d82ad777d3f3fc08551		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F1A 9416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.