Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7c9e5a7837bcaee…

MALICIOUS

PDF

36.6 KB Authoring application: GIMP
MD5: cf854a41fca349b2e4f6dfe9d08da972 SHA-1: 59cf7d3d7806e91917a1ab011c82342de089c03a SHA-256: d7c9e5a7837bcaeea4649ad46dd04cf5e0d10a1abaa5cb9a0a08a2614374860b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to other PDF files, indicative of a link farm designed for SEO manipulation or phishing. The heuristic 'SE_INVOICE_LURE' suggests the document's content is intended to deceive users into believing it is a payment-related document. The ClamAV detection further confirms its malicious nature, classifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mypsychologist.ca/uploads/1/3/0/7/130739582/papixejulelula.pdf
    • http://mofouad.com/uploads/1/3/0/7/130776100/bijomolosovinoduba.pdf
    • http://busybusinesselves.com/uploads/1/3/0/5/130540286/5f030af17bd.pdf
    • http://webmail.philipkemp.com.au/uploads/1/3/0/2/130287886/5485999.pdf
    • http://shine-bu.com/uploads/1/3/0/4/130488662/2c0d604a.pdf
    • http://spectrumsignscalifornia.com/uploads/1/3/0/2/130291536/7962465.pdf
    • http://screenwriting.biz/uploads/1/3/0/4/130483956/2226802.pdf
    • http://www.plussizebridalsboston.com/uploads/1/3/0/2/130288488/af5d1b33fb0.pdf
    • http://thebiotutor.com/uploads/1/3/0/4/130436318/segoza.pdf
    • http://thesymphonychurch.com/uploads/1/3/0/5/130539728/rafasikoj-bufulojajumig.pdf
    • http://kraimgroup.com/uploads/1/3/0/6/130621334/vurusutuvaget_ravosuvupipekiv_mujozebebeze.pdf
    • http://blackfilmcentre.org/uploads/1/3/0/4/130483879/130483879.html#free+employment+agreement+template+nz
    • http://shine-bu.com/uploads/1/3/0/4/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038ce.bin
195cba0f2e589d90fe2a3e8972865caf91afc6d566705146f6cd27762403194a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38CE 7688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.