Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3469d6c2837bb60…

MALICIOUS

PDF

46.1 KB Authoring application: pdf-parser
MD5: ff21201fffa2439faffb7a23da75794d SHA-1: 16c5b07a009fef5385730e91de089869afb0a501 SHA-256: d3469d6c2837bb60deae0ff2fe8a07fe85af370848449cadcae31d9d6f030070
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, with the primary domain being 'alyssapack.com'. This heuristic, combined with ClamAV's detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0', strongly suggests a phishing or malware distribution campaign. The embedded URLs point to other suspicious domains, further reinforcing the malicious intent. The document body itself appears to be malformed or truncated, providing no direct content-based clues.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alyssapack.com/uploads/1/3/0/5/130589150/475b137b3b89e7c.pdf
    • http://jintai.ru/uploads/2020/01/28/5e72f829716bd7.pdf
    • http://agros.fun/uploads/2020/01/28/diwisolom.pdf
    • http://finlabasia.com/uploads/2020/01/27/7056336.pdf
    • http://romowi.meitav-shuvu.org/uploads/2020/01/28/wiriwo.pdf
    • https://gorukoxizos.weebly.com/uploads/1/3/0/4/130483153/32f28e2a06e04.pdf
    • http://cleverk9sports.com/uploads/1/3/0/2/130287285/df0d9b088cd1.pdf
    • http://petersconstructionma.com/uploads/1/3/0/6/130604382/zijadebazasunuvarak.pdf
    • http://tevopidibu.sanacomounamanzana.com/uploads/2020/01/27/najinoxavurepalemoj.pdf
    • http://cashmere-shop.ru/uploads/2020/01/27/rorixomaxopawewot.pdf
    • https://kudufuwokon.weebly.com/uploads/1/3/0/4/130488955/3422510.pdf
    • https://jikixadez.weebly.com/uploads/1/3/0/2/130270953/pawuwugu_puxiweged.pdf
    • https://ledezuveruwis.weebly.com/uploads/1/3/0/4/130476320/e0e21932c7dd4.pdf
    • http://miguxak.freelance-zone.xyz/uploads/2020/01/28/jabadifi.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/5/130551096/130551096.html#cen+study+guide+questions

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013ec.bin
945791138397ab5e056e7e7790caa0a44992cccf7cd8d1d185c5805e6dfac9df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13EC 9172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.