Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd3aa75d76415cf0…

MALICIOUS

PDF

30.5 KB Authoring application: Serif PagePlus
MD5: 8dee3b9c335f274f0826f44ead006aad SHA-1: e9fd6d7bb92671e11ea3af62ff5c9aaf0486f3eb SHA-256: cd3aa75d76415cf015fb63cdeca744adddf4cbd18bc0a14b48ccb801d2d0954d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a critical heuristic firing for PDF_SEO_LINK_FARM, indicating a large number of embedded external links. The document body contains a mix of seemingly legitimate text and the same URLs found in the heuristics, suggesting a phishing or redirection attempt. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tylerdsmith.org/uploads/1/3/0/6/130621421/ladefal.pdf
    • http://144central.com/uploads/1/3/0/2/130289629/6953666.pdf
    • http://emaxb.com/uploads/2020/01/28/8757377.pdf
    • https://jevunezuf.weebly.com/uploads/1/3/0/4/130488500/rozezutugeruzetup.pdf
    • http://rosestroh.com/uploads/1/3/0/6/130621703/bemamizafiwosig-melipefinutev-pefimagizuf-povugoguforanu.pdf
    • http://medovurix.retinuelk.info/uploads/2020/01/28/pesisopoxarim.pdf
    • http://wozipeg.viewoptiononline.com/uploads/2020/01/28/vutezaxasuru.pdf
    • http://kbzproductions.net/uploads/1/3/0/3/130323207/130323207.html#ihome+ipl8bn+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000111e.bin
c6414f7a97fc83e9ccc6cd42618f03f9319b10c81664bcba100d4fe3fc38342b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111E 8304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.