Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7bdc670ed211ab3…

MALICIOUS

PDF

41.2 KB Authoring application: Karbon
MD5: 42784322787c9fd9eeb5a3c828efe29e SHA-1: 952023d429be3c3a4ba1c0d57152ac890f4028de SHA-256: e7bdc670ed211ab3fb8b0bd38da42d58719b49051ecbac839639fde2710373ca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation attack, aiming to redirect users to malicious content. The ClamAV detection further confirms its malicious nature. No scripts were extracted, and the document body content was heavily truncated and unreadable, preventing a more detailed analysis of the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lesetoilesdenoala.com/uploads/1/3/0/8/130874026/2376901.pdf
    • http://dlhp-solutions.com/uploads/1/3/0/2/130270742/f6d02d8b.pdf
    • http://mordyhandmade.ca/uploads/1/3/0/7/130776252/a2d3c86fdc0.pdf
    • http://www.cleanease.co.uk/uploads/1/3/0/8/130874220/ruzoneb-modipitajiki-lemet.pdf
    • http://preschoolhouse.com/uploads/1/3/0/6/130604405/9aa43.pdf
    • http://mhwilleke.net/uploads/1/3/0/5/130588989/7195838.pdf
    • http://mycheaphelper.com/uploads/1/3/0/5/130590391/sanimidixepet-gulununobesis-woxareliseb.pdf
    • http://viii.life/uploads/1/3/0/2/130289179/ad985d5d5.pdf
    • http://ashleyjaynemeyers.com/uploads/1/3/0/6/130604486/901ab32.pdf
    • http://www.philmlandshowcase.com/uploads/1/3/0/7/130775413/57b3f4fa91.pdf
    • http://mail.lawsnakard.com/uploads/1/3/0/4/130488500/bogat-zosuramapokutin.pdf
    • http://m.tommypikecustoms.com/uploads/1/3/0/8/130814467/patij-finud-kamaru.pdf
    • http://cotcmerchandise.com/uploads/1/3/0/5/130589353/kozaji.pdf
    • http://kopc.co.za/uploads/1/3/0/3/130379087/5900267.pdf
    • http://bestsellersdeal.nl/uploads/1/3/0/5/130539800/tutigemorib.pdf
    • http://midlifekrysis.com/uploads/1/3/0/5/130588731/warujovefuv.pdf
    • http://aggressivelyintelligent.band/uploads/1/3/0/7/130739029/mubatopinazama.pdf
    • http://saltlifepainting.com/uploads/1/3/0/2/130288580/fopebuxaxuzonaf.pdf
    • http://cowgirlchristmas.com/uploads/1/3/0/8/130874413/xawunibobog.pdf
    • http://langfordinvestments.com/uploads/1/3/0/6/130639982/wojizutajivebagipok.pdf
    • http://www.polarityzug.ch/uploads/1/3/0/3/130323631/130323631.html#mcdougal+littell+algebra+2+chapter+2+resource+book+answer+key

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c9c.bin
7d79e0a87335598d0d16c60def0b5980104ca7eb3431d7f4e234fcd019ddc244		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C9C 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.