Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3d732e6246ae75e…

MALICIOUS

PDF

36.5 KB Authoring application: PDFBox
MD5: c035087228f6c6bda5b67f5fc09c83b0 SHA-1: 0e9f9c02a6fa8c343a5eb89c3373fc612f6c364b SHA-256: e3d732e6246ae75e63d392e8baad75a22f265483a924dfb5bdcf5d8830f3477d
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure related to an SBI debit card application, aiming to trick users into clicking embedded links. The primary heuristic indicates a link farm, with the most prominent URL being http://gateaugateau.com/uploads/1/3/0/6/130620677/vuraj_gopoju.pdf. This suggests the document's purpose is to redirect users to malicious content, likely for phishing or malware distribution.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gateaugateau.com/uploads/1/3/0/6/130620677/vuraj_gopoju.pdf
    • https://vepaxemamarifi.weebly.com/uploads/1/3/0/5/130539279/netudabivanofubake.pdf
    • http://rijimipite.rem-post.ru/uploads/2020/01/27/rosobafig.pdf
    • http://yaraandoo.info/uploads/1/3/0/5/130540208/7454283.pdf
    • http://bestflooringco.com/uploads/1/3/0/5/130543840/2056249.pdf
    • http://epsaofficial.eu/uploads/1/3/0/2/130289409/mogifedo.pdf
    • http://noiceclan.com/uploads/1/3/0/2/130274305/1372926.pdf
    • http://ritove.lierac-paris.ru/uploads/2020/01/29/reralovalavi_neropug.pdf
    • http://kowu.yaroslavl-med.ru/uploads/2020/01/27/7453653.pdf
    • http://clarinetrepairs.org/uploads/1/3/0/2/130272092/7969747.pdf
    • http://cyclebavaria.com/uploads/1/3/0/2/130272981/130272981.html#sbi+debit+card+application+form+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001216.bin
89f6ffe693cd7fdc64bcb8f54086681c7752ad37499875ae9359e89c702c9ce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1216 8440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.