Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1c6e65e745c38df…

MALICIOUS

PDF

42.1 KB Authoring application: Pdftk
MD5: ffd0c28250e7f480ad4de55c6ede0f4b SHA-1: 3742f889feca35b36bd5c26224a370743cac026c SHA-256: e1c6e65e745c38df908ad4db917447b9e131dab13e1c3dc7204f3ceb6dfc28ca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, and the document body content was heavily truncated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thebra.org/uploads/1/3/0/2/130287307/nerumapuworuratek.pdf
    • http://conjecturellc.net/uploads/1/3/0/6/130640071/875963.pdf
    • http://designeveryday.net/uploads/1/3/0/3/130379485/074549e0d1cdf.pdf
    • http://needacable.com/uploads/1/3/0/6/130604448/6063045.pdf
    • http://dannyderrick.com/uploads/1/3/0/5/130540304/xujewupa-zitaxug-wotavazoves.pdf
    • http://creartivemedia.com/uploads/1/3/0/7/130740003/fenezunipoz.pdf
    • http://surfacedesignfx.com/uploads/1/3/0/3/130313388/1055282.pdf
    • http://my-family-lore.com/uploads/1/3/0/4/130478819/6018216.pdf
    • http://mightymustangband.com/uploads/1/3/0/2/130289611/4186582.pdf
    • http://www.fitvibeswithangie.com/uploads/1/3/0/6/130620490/9aaad3b.pdf
    • http://lavirgen.net/uploads/1/3/0/7/130738603/fasagor_dusowugenu_rutil.pdf
    • http://paulspadafora.net/uploads/1/3/0/3/130379105/muloripe.pdf
    • http://maconwebdesign.com/uploads/1/3/0/3/130379371/2800f785f.pdf
    • http://jarofthreads.com/uploads/1/3/0/8/130814145/zeralevolaguzed.pdf
    • http://collinsmslibrary.org/uploads/1/3/0/5/130588625/rapirivipa.pdf
    • http://bytecubed.io/uploads/1/3/0/6/130621928/130621928.html#list+10+non+essential+amino+acids

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a7c.bin
7298f7f00b01e49933cc0e5ed54fb59a08a9e541cbeabf8d51309a8fd7af4060		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A7C 7912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.