Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6ecb131983d8131…

MALICIOUS

PDF

45.7 KB Authoring application: Smallpdf Desktop
MD5: ff52362488f74450e1ac224c7478f708 SHA-1: 9ccf257c7012d3190e4c22ec95f75f84b8d461dc SHA-256: d6ecb131983d8131d31a2b709d98899b1c2388b708486facc4209f691822d128
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. These links likely serve as a lure to redirect users to malicious content, as indicated by the ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall'. The document body itself is heavily obfuscated and does not provide clear textual lures, but the presence of numerous external links strongly suggests a phishing or malware distribution attempt.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://novelistsandrahall.com/uploads/1/3/0/2/130288394/pukedaje_rufuj_fusufemabijamo_kitifofakepogat.pdf
    • http://glamfiendz.com/uploads/1/3/0/7/130739472/bca1f6f4a2dc2.pdf
    • http://naturalproducts.shop/uploads/1/3/0/2/130287472/adbaa70.pdf
    • http://laugh-ng.com/uploads/1/3/0/7/130740598/8738bb9.pdf
    • http://bangkokrepublik.co/uploads/1/3/0/7/130740212/wogop.pdf
    • http://joshuanagle.com/uploads/1/3/0/3/130312991/mejoxe.pdf
    • http://photojohn.net/uploads/1/3/0/2/130272440/dba298.pdf
    • http://skawennati.org/uploads/1/3/0/5/130590561/2c0e28dc91183b.pdf
    • http://healthiestandbestself.com/uploads/1/3/0/5/130550654/704354.pdf
    • http://fuzzymoon.net/uploads/1/3/0/5/130539908/517785.pdf
    • http://chrisbarnwell.com/uploads/1/3/0/4/130477146/govebudirekeludem.pdf
    • http://boneandjointdocs.com/uploads/1/3/0/6/130604518/44361.pdf
    • http://tmarienails.com/uploads/1/3/0/7/130739927/wuvafutipa.pdf
    • http://oachristchurch.org/uploads/1/3/0/4/130483809/60e67e745265ab.pdf
    • http://www.goodnaturedgoods.com/uploads/1/3/0/3/130323214/98a21cad774577.pdf
    • http://rocknaturally.com/uploads/1/3/0/2/130289652/71e5067c94e.pdf
    • http://theprocessperfomance.com/uploads/1/3/0/6/130621467/kobisemil_mefinasevime_vewixi_xosigudozulok.pdf
    • http://prouni2020.com/uploads/1/3/0/5/130544086/7b7a502b71.pdf
    • http://insureapplewatch.com/uploads/1/3/0/5/130588989/130588989.html#student+attendance+management+system+project+in+java+abstract

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005251.bin
f88b9dcc072fdfa999084fa913473d955a05db84ea6be5062f5b8e8bc2ae8154		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5251 9112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.