Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1ba8d2fd5b08544…

MALICIOUS

PDF

95.5 KB Authoring application: Poppler-utils
MD5: d3230e2e6b4d3dcab60c1e3a088791d6 SHA-1: 5204e506e32a17bf42e363f0b1a22f35aeb4c8a6 SHA-256: d1ba8d2fd5b08544910745d47a2fa475d4f0f6257716fce98ec354d7d4e5fc9c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits a critical heuristic firing for a link farm, containing 31 external PDF links, with the first being http://providence-title.com/uploads/1/3/0/3/130312998/sudorufaloleba_vudux.pdf. Additionally, a medium severity heuristic indicates a callback phishing lure, suggesting the document prompts users to call a phone number in a deceptive context. The ClamAV detection further confirms its malicious nature as Pdf.Phishing.TtraffRobotInstall-7605656-0. The embedded URLs and the nature of the heuristics strongly suggest a phishing or scam campaign.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://providence-title.com/uploads/1/3/0/3/130312998/sudorufaloleba_vudux.pdf
    • http://hellomaychua.com/uploads/1/3/0/2/130272921/fcece375e2357.pdf
    • http://www.108infinity.com/uploads/1/3/0/5/130550994/xiwifotafewa.pdf
    • http://nelsononline.net/uploads/1/3/0/6/130605278/dcad233ca88bf7.pdf
    • http://4ufurnituredesign.com/uploads/1/3/0/5/130539691/bffe717.pdf
    • http://www.vidafitnessparis.fr/uploads/1/3/0/7/130775627/a6a533.pdf
    • http://acwhk.org/uploads/1/3/0/7/130776279/gojawolilogezuj.pdf
    • http://www.blackwomensyogaretreats.com/uploads/1/3/0/6/130605263/tebitodifidebiwi.pdf
    • http://pburg94rescue.org/uploads/1/3/0/4/130489437/4315309.pdf
    • http://breakingbadhouse.com/uploads/1/3/0/2/130271224/mibabupolevuse-jobumevun.pdf
    • http://haccpseminar.com/uploads/1/3/0/7/130740320/fd74d1bf90f87eb.pdf
    • http://mycambodonuts.com/uploads/1/3/0/7/130776525/nopemebozipivopu.pdf
    • http://jeremyandkristina.com/uploads/1/3/0/5/130543289/vezasojebuxit.pdf
    • http://www.exoticbulliessale.com/uploads/1/3/0/7/130738781/fisuruviwa.pdf
    • http://alexnicoll.com/uploads/1/3/0/7/130776812/pesogi.pdf
    • http://auto-pneumatyka.pl/uploads/1/3/0/8/130813496/vanoxeselokonip.pdf
    • http://giaradioministry.com/uploads/1/3/0/6/130621128/wavuzemafejipufanopo.pdf
    • http://chestnutpost.com/uploads/1/3/0/5/130550706/vodibebuv_gonipi_wawotix_vesevunebe.pdf
    • http://newyorkhomeclick.com/uploads/1/3/0/4/130483576/6095160.pdf
    • http://laughtercare.org/uploads/1/3/0/3/130379098/patelifip-gagemoja.pdf
    • http://precisionappliancerepair.org/uploads/1/3/0/7/130776085/lazumer.pdf
    • http://greenwolfverticalfarm.com/uploads/1/3/0/6/130620348/130620348.html#acog+pap+guidelines+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000119e.bin
2a094ec69ec1cbd547abbf0afe745fddcbbc4749ab8a3dcc4cc620d4a8e9c0a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119E 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.