Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc44b610d054c7a8…

MALICIOUS

PDF

42.2 KB Authoring application: PDFBox
MD5: 531e78d1d05cc02257dfbad205d7a843 SHA-1: d64c9249e8ba07b72877b233ab06bb6e309ff66e SHA-256: dc44b610d054c7a8194ee15d925129e466ab9a7569861cba200906338cab74e2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, a technique commonly used in SEO poisoning and phishing campaigns to redirect users to malicious sites. The document body contains text related to 'Indian army training video 3gp' and numerous URLs, further supporting the phishing lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://superiorinspectionsdfw.com/uploads/1/3/0/6/130639448/ce14981733b.pdf
    • http://msnenglish.net/uploads/1/3/0/5/130547552/pidesi.pdf
    • http://elvi.site/uploads/1/3/0/2/130271095/xalopidugazonud_pibaw_biguba.pdf
    • http://neuropathydr.net/uploads/1/3/0/3/130313404/195bb40a72.pdf
    • http://bodyworkandmeditation.net/uploads/1/3/0/5/130588821/b26e391f8f2.pdf
    • http://noblevisioncenter.net/uploads/1/3/0/5/130551839/kogetibetugikisosa.pdf
    • http://motherhenmusic.org/uploads/1/3/0/3/130313854/datoweworo.pdf
    • http://sopoochtraining.com/uploads/1/3/0/6/130605015/vekinubivuniver.pdf
    • http://gab.lzsx.online/uploads/2020/01/29/2831371.pdf
    • http://miamilifebyluis.com/uploads/1/3/0/5/130543320/gurera-selifu-ragageleb-vediv.pdf
    • http://dozuli.ruonkolog.ru/uploads/2020/01/28/9354312.pdf
    • http://cecilyeiferle.com/uploads/1/3/0/6/130621947/130621947.html#indian+army+training+video++3gp

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e0.bin
15ed55590473bfdb06808797b50ce2be0e0f3a8dfaec613cb4a24455e42d59b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E0 8380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.