Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0e12f8d2f161a1b…

MALICIOUS

PDF

29.8 KB Authoring application: Inkscape
MD5: 4d58ed4d5f3df715634ce08b9a1b4358 SHA-1: 0b528cb33e766248f363631f4b943f6cbad33090 SHA-256: e0e12f8d2f161a1bd9993391832ae52a447f7854cbef9fcf75b23714ace9e5a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a link farm with multiple external PDF URLs, disguised as an 'Axis bank balance sheet pdf'. This heuristic indicates a phishing or malware distribution attempt. The ClamAV detection confirms its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. The numerous embedded URLs suggest the primary goal is to redirect users to download further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nukez.wfcrus.com/uploads/2020/01/28/wirob.pdf
    • http://lap.populair-cyber.com/uploads/2020/01/28/temipapiw-rugevoja.pdf
    • http://coolboymusic.us/uploads/1/3/0/6/130621893/250319.pdf
    • http://rubiosartpainting.com/uploads/1/3/0/2/130291371/webupa.pdf
    • http://poxu.hotelimperiya.ru/uploads/2020/01/29/7132e1.pdf
    • http://poppyandrose.co.uk/uploads/1/3/0/6/130620366/fuxidas_buzok_pinixagefotiv.pdf
    • http://pburg94rescue.org/uploads/1/3/0/2/130289494/921e214.pdf
    • http://easttexasdoula.com/uploads/1/3/0/5/130588663/jidenugolixijebeju.pdf
    • http://msmarmenia.org/uploads/1/3/0/5/130550758/bixewo-lofoguxikozope-dasaxarofume-taranebotoselo.pdf
    • http://carpetcleancary.com/uploads/1/3/0/5/130541073/130541073.html#axis+bank+balance+sheet+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011f5.bin
dafc5c7c67d7f435e117947ed85ac23e021308ca7c8ed380f23270f1dc3c1be7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F5 7736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.