Malicious PDF — malware analysis report

Static analysis result for SHA-256 e499b7c20b1366b0…

MALICIOUS

PDF

47.3 KB Authoring application: Poppler-utils
MD5: 5611cee20d33d9dba372bca3d14c4a27 SHA-1: 244aabc61bde92be19a6b1789d0170c4c51a3397 SHA-256: e499b7c20b1366b094f494d3417e5ab4fed5f73e1a5cb212dfdadce4f58dfcb7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF heuristic PDF_SEO_LINK_FARM indicates the presence of a mass external PDF link farm, with multiple URLs pointing to potentially malicious content. The ClamAV detection further confirms its malicious nature, identifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are likely used to redirect users to phishing sites or download further malware. The document body is heavily obfuscated and does not provide direct clues to the user-facing lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eaglehealthinsurance.com/uploads/1/3/0/3/130313391/pisen.pdf
    • http://katletki.com/uploads/1/3/0/6/130604702/dezikofajavixezofa.pdf
    • http://nancyjmiller.net/uploads/1/3/0/4/130436298/5435567.pdf
    • http://bauerhomemakerservices.com/uploads/1/3/0/4/130476298/lizomokorog.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/3/130313049/130313049.html#can+you+change+the+sheets+in+spanish

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010bb.bin
ded62ab5fd165747f99bfa520c2e11f58490d457975be7638053b45a17e893db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BB 9716 bytes
font_01_sfnt_off000072fa.bin
1692517c2119bf1b691cbd9dbeb7d550046a0d1801c8cb664cdbbc4c32b71632		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72FA 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.