Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2c4cee626a66423…

MALICIOUS

PDF

71.2 KB Authoring application: SWFTools
MD5: 72f192f947cd5ddaf858a7e9bfd874b5 SHA-1: eb82793d16afb53e29d6bb2c64aa6b6d14868d47 SHA-256: e2c4cee626a66423b3771bd971403aa98ac1edf6df5fcef3095525954e13874b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded URLs, indicating a link farm likely used for SEO manipulation or to redirect users to phishing or malware distribution sites. The document body contains references to 'windows installer exe' and embedded URLs, further supporting the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sopoochtraining.com/uploads/1/3/0/2/130272978/a6306979.pdf
    • http://sfststephenschool.org/uploads/1/3/0/6/130604938/4646165.pdf
    • http://4us2wire.com/uploads/1/3/0/5/130543019/aea1dc3.pdf
    • http://michiganinsuranceguru.com/uploads/1/3/0/3/130324112/d7b9d139b.pdf
    • http://support-account.net/uploads/2020/01/29/8797771.pdf
    • http://partisanrecords.net/uploads/1/3/0/6/130620737/8d943e.pdf
    • http://mysifortenbery.com/uploads/1/3/0/4/130436096/biwajivobu-wogodevosawa-puzujunijakopeb.pdf
    • http://balletclassique.net/uploads/1/3/0/4/130436389/badagofadamed-zimefadonimo.pdf
    • http://kal.tvgoal.net/uploads/2020/01/28/bemojas-wijivupus-gidigebeji-gofogetiranotas.pdf
    • http://djgarbin.com/uploads/1/3/0/6/130604386/4232571.pdf
    • http://rehphotography.org/uploads/1/3/0/3/130324292/130324292.html#ireport+5.+6+0+windows+installer+exe

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008f7c.bin
9e818a73efe00182f46adcd7977ef1d644ace98797aad6cfc2f5d0e3f82ae44e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8F7C 20696 bytes
font_00_sfnt_off000012a8.bin
b3e2727ebff1a9a0e339fe01aacee1f210df4a483e2d26c42459df181df68b44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A8 7952 bytes
font_02_sfnt_off0000b1ec.bin
b7e0f63855f983b74be1c8a1cbbc30b8ff91e615338c6d2db99be0867f53c373		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1EC 17128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.