Malicious PDF — malware analysis report

Static analysis result for SHA-256 d88269c98735a247…

MALICIOUS

PDF

40.8 KB Authoring application: Serif PagePlus
MD5: 7b470c675ea503a82ebc6dddf62f323b SHA-1: c7b75214bfe83f969577bfa00f6c65bf5bca6840 SHA-256: d88269c98735a2478df5d6e1e89e307cd2f425caf10cb432d2208e82cb52e055
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. The critical heuristic 'PDF_SEO_LINK_FARM' confirms the presence of numerous external PDF links, with 'newbernapp.com' being a dominant host. This suggests the document's primary function is to distribute or link to other malicious content, likely for SEO poisoning or to facilitate further infection chains.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newbernapp.com/uploads/1/3/0/5/130543543/7551974.pdf
    • http://emmycodes.com/uploads/1/3/0/5/130588532/9385322.pdf
    • http://myadnteam.com/uploads/1/3/0/5/130544413/2338526.pdf
    • https://vewariwovosu.weebly.com/uploads/1/3/0/4/130435583/sewupaxekupiki.pdf
    • http://bellafurdesigns.com/uploads/1/3/0/6/130621084/bobusu.pdf
    • http://dogzandcoffee.com/uploads/1/3/0/2/130289256/7726044.pdf
    • http://orderofthedarkcrown.com/uploads/1/3/0/4/130489398/zamoxar_gagote.pdf
    • http://michelejoyjewelry.com/uploads/1/3/0/6/130639181/jikigazamop.pdf
    • https://dijepifun.weebly.com/uploads/1/3/0/2/130289789/ziditubapasoniz-jodosugivuka-galene.pdf
    • http://oakhillcontractorsllc.net/uploads/1/3/0/6/130640018/xaxaxuga.pdf
    • http://tallahasseewmc.com/uploads/1/3/0/6/130604098/razatutugigosevox.pdf
    • http://thehnossaproject.com/uploads/1/3/0/4/130488338/130488338.html#virus+definition+symantec+endpoint+protection+14

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e2.bin
4be3e4ce0ce730dba0e63fec3202faba04776b538a7996b602202ed681df5be4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E2 8424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.