Malicious PDF — malware analysis report

Static analysis result for SHA-256 e75bf959f91fb2e7…

MALICIOUS

PDF

60.9 KB Authoring application: PDFedit
MD5: 39c2f451fa7856264263178e1f4ebd63 SHA-1: 1c83ef494315e2c50ab300cb1d79d83e044f5fc6 SHA-256: e75bf959f91fb2e7179a12fe31a9c33780a520a3d4f7b1cbb1d0bb0e0d476334
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a primary purpose of driving traffic to external sites, likely for SEO spam or phishing. The 'SE_CALLBACK_LURE' heuristic further indicates a potential for callback phishing or tech-support scams. No scripts were extracted from this sample, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://movertoolkit.com/uploads/1/3/0/2/130291441/lozedazasaxo-futex-minamixesovut.pdf
    • http://dogsprikaz.weebly.com/uploads/1/3/0/6/130620869/8937420.pdf
    • http://mrgrantmath.com/uploads/1/3/0/6/130620567/wetibunola.pdf
    • http://campchow.net/uploads/1/3/0/5/130544070/4453120.pdf
    • http://257bennettstreet.com/uploads/1/3/0/6/130605212/1962552.pdf
    • http://joduveza.jobok.fun/uploads/2020/01/28/8522710.pdf
    • http://peaceofmindkindercare.com/uploads/1/3/0/2/130289340/xegak-fumurinuxomuw-guvebokuw.pdf
    • http://narskuuttelu.com/uploads/1/3/0/6/130621257/zesope.pdf
    • http://macronbit.com/uploads/2020/01/27/93ad827a4e.pdf
    • http://vuongholdings.com/uploads/1/3/0/6/130604487/e497c7f78.pdf
    • http://pex.fisiodoctor.ru/uploads/2020/01/27/9a097226c89f.pdf
    • http://pruittconsulting.org/uploads/1/3/0/6/130620456/vekasotokire-begumusil-zolibomonu.pdf
    • http://ninarayviola.com/uploads/1/3/0/5/130588492/a7bc53.pdf
    • http://matchboxorganics.com/uploads/1/3/0/3/130323406/piwene-zekarenofodiva-navufa-wufijatefum.pdf
    • http://sonsetministries.com/uploads/1/3/0/4/130475990/kamupolunu_xorag_zamiveraro.pdf
    • http://rexaji.paulandkelsey.com/uploads/2020/01/28/a8be08664.pdf
    • http://panoramicgalaxy.com/uploads/1/3/0/6/130620491/wowawu.pdf
    • http://vicelone.com/uploads/1/3/0/5/130589337/7716732.pdf
    • http://coratoloassociatesllc.com/uploads/1/3/0/4/130483050/mixenubimire-karorufezo-wenutezawagiro.pdf
    • http://msestate.co.jp/uploads/1/3/0/2/130291803/nawase.pdf
    • http://dramallamaranch.com/uploads/1/3/0/5/130543353/tuderaludoxupifoju.pdf
    • http://butazaga.zincadoexpress.com/uploads/2020/01/27/0049810673c.pdf
    • http://sweetestdreams.org/uploads/1/3/0/6/130605122/130605122.html#security+antivirus+max+clean+apk

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000184a.bin
1fa3b90fee2242523f5431ab024b4c57c48705e176a0b615744ac7649e2e13bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x184A 8236 bytes
font_01_sfnt_off00006f3c.bin
c6c28444bcd94379862b6cc7f8cfcdbcdaeb026857ccdb099d87626a561054a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F3C 16092 bytes
font_02_sfnt_off000083c9.bin
0155b270e880695373dd54d4a603ab593a59502fdd82c9aa0432c78f0a40b4b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C9 7924 bytes
font_03_sfnt_off00009e6c.bin
1957428794578a072b8983e864e5701b52391162abfb2d6d14c6295fa8a16687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E6C 6444 bytes
font_04_sfnt_off0000adc2.bin
0342088d3df48d35ff21f1be6c615005ef378fc4fd0be0c98af7a96967da1f92		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADC2 4372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.