Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7159c180069ca8e…

MALICIOUS

PDF

59.4 KB Authoring application: Pdftk
MD5: b21c0af194525d6e5d013e5e2b6b97bc SHA-1: 6e13ad8b393067ddc90e4af8f682f1c9a19f50c9 SHA-256: d7159c180069ca8e76f46a9fd95a9f1b88c485ca40d8e5f49aa6687fb1df5244
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded URLs, many of which are hosted on suspicious domains and appear to be part of a link farm. The 'SE_CALLBACK_LURE' heuristic suggests a phishing or tech-support scam context, further supported by the numerous external links pointing to PDF files, likely designed to lure users into clicking malicious links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://latchingontodonica.com/uploads/1/3/0/5/130541688/dalumeju-nexibow-zanak.pdf
    • http://orcphanage.com/uploads/1/3/0/4/130483277/3816109.pdf
    • http://onepakclub.com/uploads/1/3/0/4/130476389/zuxopuzagon-widanewap-tunafiviwodewiv-lofepag.pdf
    • http://ambermayde.shop/uploads/1/3/0/2/130289254/dibulomonamivavov.pdf
    • https://vobarofalibafe.weebly.com/uploads/1/3/0/4/130483765/5023588.pdf
    • http://naturesworks.net/uploads/1/3/0/6/130604004/6880535.pdf
    • https://lepetijo.weebly.com/uploads/1/3/0/3/130313370/f67d5.pdf
    • http://fibijuroz.shoppohudenie.ru/uploads/2020/01/28/6182702.pdf
    • http://kimmeridgeelectrics.com/uploads/1/3/0/2/130287529/8012491.pdf
    • http://carmendaughertyphotography.com/uploads/1/3/0/6/130621864/zijumegi.pdf
    • http://weseetheworldinbendaydots.weebly.com/uploads/1/3/0/4/130435898/d9558e87d.pdf
    • http://nutrition-ville.com/uploads/1/3/0/6/130639235/5937545.pdf
    • http://zumadeluxeco.weebly.com/uploads/1/3/0/4/130490378/f0444bcfd75.pdf
    • http://kimrichardsart.com/uploads/1/3/0/4/130483770/tomabedijoz-larigesuvab-kebedugetaxixe.pdf
    • http://norcalpomskies.com/uploads/1/3/0/5/130588961/fanuravujepolonu.pdf
    • http://pibhortolandia.org/uploads/2020/01/27/3213365.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/4/130476395/130476395.html#caledonian+sleeper+train+seats

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001387.bin
2eb263d2f4ee3cc870a8cf7008bff31cb55d4b0d87d472868151dbc8f7ec7fbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1387 8460 bytes
font_01_sfnt_off0000a29b.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA29B 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.