Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3c5c94df65f6a89…

MALICIOUS

PDF

66.5 KB Authoring application: ImageMagick
MD5: 948952d72ab961df202c150533426ecd SHA-1: 92a3998a9b8cf36e8273dca609e9fc1d8bca59b8 SHA-256: e3c5c94df65f6a8925d427a8531321efb1833466d6b4745e73bbee7e3cdff9df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a phishing or traffic redirection intent. The embedded URLs point to various domains, all likely part of a link farm designed to distribute malicious content or redirect users to phishing sites. The document body text, while partially corrupted, contains references to 'Learn english verbs pdf' and includes several of these external URLs, reinforcing the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theyellowvanfurnitureco.com/uploads/1/3/0/5/130588412/7e19e7dfa3c52.pdf
    • http://defit.tobe-ok.ru/uploads/2020/01/28/8571853.pdf
    • http://weareriot.org/uploads/1/3/0/6/130620917/486754.pdf
    • http://newhomeswithashley.com/uploads/1/3/0/4/130476703/sepidajozobuko_sulomu_sotemosesiwe_bofevu.pdf
    • http://mapletreemw.com/uploads/1/3/0/4/130478174/5987501.pdf
    • http://polychromatiks.com/uploads/1/3/0/2/130271121/130271121.html#learn+english+verbs+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001126.bin
fd45d100838dd4f4769be0ec7d732cc37ec3af7993ea496bc7fd98cc40fc5096		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1126 7792 bytes
font_01_sfnt_off00004df4.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DF4 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.