Malicious PDF — malware analysis report

Static analysis result for SHA-256 d828f7b135fa0e24…

MALICIOUS

PDF

49.7 KB Authoring application: Adobe PDF Library 9.0
MD5: 53321532dd27729d3ca6982b40920b94 SHA-1: 9e4666636e5740d4fb12910995d558597e3a4020 SHA-256: d828f7b135fa0e24a845665e4a3d12583d410f6854c0b2ea3e3f0aceec774c2a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, indicating a link farm strategy. The primary heuristic 'PDF_SEO_LINK_FARM' confirms this, identifying 28 external PDF links, predominantly hosted on 'www.cuzzllc.com'. This suggests the document's purpose is to lure users to click on these links, likely leading to phishing pages or further malware downloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cuzzllc.com/uploads/1/3/0/7/130739084/1f7a6f14dbfb.pdf
    • http://firstollie.org/uploads/1/3/0/6/130639699/3130999.pdf
    • http://thegiovanestore.com/uploads/1/3/0/3/130313434/eb727e.pdf
    • http://www.happywalks.net/uploads/1/3/0/8/130813604/1796590.pdf
    • http://justinelliotbrown.com/uploads/1/3/0/5/130544067/mojaz-desivog-rukufaba.pdf
    • http://jackiesaad.com/uploads/1/3/0/8/130874136/4943689.pdf
    • http://formormedia.com/uploads/1/3/0/5/130545884/801a85cbcd.pdf
    • http://flowersbytorrey.com/uploads/1/3/0/6/130604563/zobutudis-suziwip.pdf
    • http://rcspecializedagencies.org/uploads/1/3/0/7/130739124/2522031.pdf
    • http://www.themindofmyron.com/uploads/1/3/0/7/130776277/5746182.pdf
    • http://allaroundcontracting.net/uploads/1/3/0/6/130639998/6062f811c.pdf
    • http://svetsfiltar.com/uploads/1/3/0/5/130551585/4830459.pdf
    • http://lotusmediaprint.com/uploads/1/3/0/6/130621413/zedakelam.pdf
    • http://thrivewithjessiewhite.com.au/uploads/1/3/0/6/130620897/3415515.pdf
    • http://feel-well.org/uploads/1/3/0/4/130436147/130436147.html#ovarian+tumor+and+pleural+effusion

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049f4.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49F4 16036 bytes
font_01_sfnt_off00005e0b.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E0B 2600 bytes
font_02_sfnt_off0000698f.bin
4237fb077221b721b4215bb1f63f15c5eb792a7544d122406b3f2b0259128a11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x698F 7816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.