Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4d2c27348af7ec7…

MALICIOUS

PDF

39.9 KB Authoring application: Solid Converter PDF
MD5: 0b23fee598aee6549d5c3e4f4dda1687 SHA-1: e403f7f5e7cdde74d185ea6f7b19a66465438657 SHA-256: e4d2c27348af7ec76024f7c648ca6542cb68be42c1871e587b5ce196f8c1a20a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, with 21 links pointing to other PDF files hosted on various domains. This is indicative of a phishing or malware distribution campaign. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports this assessment. The document body, though heavily corrupted, contains phrases related to form filling, potentially as a lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ipcentric.mu/uploads/1/3/0/7/130739021/6870323.pdf
    • http://ebbandflood.net/uploads/1/3/0/7/130739336/gogafi-wobijujajobonu-togulotawatolu-dejebaziminodaw.pdf
    • http://half-nelson.com/uploads/1/3/0/6/130620195/wetoxugatu-gavajev-zobajasopade-xewudatifixu.pdf
    • http://cbschicago.org/uploads/1/3/0/6/130639537/4687131.pdf
    • http://www.bel-airmaritime.com/uploads/1/3/0/7/130775629/790762f64.pdf
    • http://lorilearnardart.com/uploads/1/3/0/6/130640090/siledikoferafin.pdf
    • http://pieterwuille.com/uploads/1/3/0/6/130604173/853ec5ef11.pdf
    • http://firstretrospective.com/uploads/1/3/0/5/130590298/9949621.pdf
    • http://beyondcharisma.org/uploads/1/3/0/7/130739479/6e62edc.pdf
    • http://kpopsingles.com/uploads/1/3/0/2/130272250/besasa.pdf
    • http://homeinfoinyorkregion.com/uploads/1/3/0/2/130288483/a3d6bd57b.pdf
    • http://premierbv.com/uploads/1/3/0/7/130775619/497300.pdf
    • http://jenfowler.net/uploads/1/3/0/5/130540359/e96095.pdf
    • http://cpmiddleburg.com/uploads/1/3/0/4/130436074/0b90cdd13fa76.pdf
    • http://mytravel.guide/uploads/1/3/0/6/130604640/lukukowelegutav.pdf
    • http://theselfishparents.net/uploads/1/3/0/2/130272340/6619092.pdf
    • http://gayejee.com/uploads/1/3/0/8/130814132/tamabavunovoja.pdf
    • http://bootcampandfitnessworkouts.com/uploads/1/3/0/6/130620560/mejikuwovobewiki.pdf
    • http://midamericanthermal.com/uploads/1/3/0/3/130313120/8422010.pdf
    • http://redlionca.net/uploads/1/3/0/3/130379741/3fea4d74d1f.pdf
    • http://mercedesudaeta.com/uploads/1/3/0/4/130483770/8394a.pdf
    • http://webdisk.jhigh18.com/uploads/1/3/0/3/130379167/130379167.html#how+to+fill+pan+card+correction+form+offline

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000386b.bin
a26d252415c75f32b3122a4d13c80deda9bb4d7eaf7f5e9ce81c145c4fd589c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x386B 8940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.