Malicious PDF — malware analysis report

Static analysis result for SHA-256 e88c9e9f3fe0a04e…

MALICIOUS

PDF

35.5 KB Authoring application: Pdftk
MD5: b8a39ff93189dc5c1e86776f04aac8a2 SHA-1: 608666e2b84b6f15a8679a14ca8de2518cebedb7 SHA-256: e88c9e9f3fe0a04e992247073ce6863e9df1b76c167539177f7ac00efaf6944d
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDFs, indicating a link farm for SEO purposes. The document body text, though heavily obfuscated, contains phrases related to serial numbers and captchas, suggesting a lure to trick users into clicking links. The 'ClickFix' heuristic further supports this, indicating the document attempts to bypass macro restrictions by instructing the user to run commands. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' confirms the malicious intent.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://24h-loodgieter.be/uploads/1/3/0/6/130639309/5550590.pdf
    • http://lindsaypulsipher.net/uploads/1/3/0/7/130775776/9931327.pdf
    • http://carollemonrealtors.com/uploads/1/3/0/6/130620854/982218.pdf
    • http://595corporateparkofcommerce.com/uploads/1/3/0/3/130379894/5468da6ad60fae.pdf
    • http://rmckendreeb.com/uploads/1/3/0/4/130483429/8503547.pdf
    • http://lifelitupphotos.com/uploads/1/3/0/4/130476208/vijokodikitivis_lodesitafap_penevuki.pdf
    • http://attheedgedesign.com/uploads/1/3/0/2/130272363/benalukumema.pdf
    • http://rehphotography.org/uploads/1/3/0/7/130740128/130740128.html#serial+number+for+adobe+acrobat+pro+9

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001153.bin
a47225be94abebd07f02e3b2aa09b58ce6f981b955ede8363f37a5ddb8eac9f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1153 8052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.