Malicious PDF — malware analysis report

Static analysis result for SHA-256 e931814912cd2dce…

MALICIOUS

PDF

34.1 KB Authoring application: Smallpdf Desktop
MD5: 8e1d0ece6da4fe904544643bf06b83bc SHA-1: 47f98f84a59eb3dc9f5ad01d6cdefd06e0991436 SHA-256: e931814912cd2dce879e7d7cb24d74caa8295fabbb5e6602227bf5bc604eaa83
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further suggests a malicious intent, likely related to phishing or traffic redirection. The document body itself is heavily obfuscated and does not provide clear textual clues, but the presence of numerous links points to an attempt to manipulate search engine results or direct users to potentially malicious content hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nuwage.net/uploads/1/3/0/6/130604604/jesiveda.pdf
    • http://cforcinema.org/uploads/1/3/0/7/130739015/1174246.pdf
    • http://www.greenfieldcrafts.co.uk/uploads/1/3/0/3/130379222/zovudefa.pdf
    • http://krispykleanautospa.com/uploads/1/3/0/4/130436058/e3b13.pdf
    • http://mrccustomdesigns.com/uploads/1/3/0/4/130435892/jijesisoxuven.pdf
    • http://mafreipetexpress.com/uploads/1/3/0/5/130539660/8753978.pdf
    • http://nkbblockchain.com/uploads/1/3/0/3/130313306/mafulexubuv.pdf
    • http://literary.cafe/uploads/1/3/0/5/130541552/5574332.pdf
    • http://www.chalalagiveaway.com/uploads/1/3/0/8/130814900/xumabaso.pdf
    • http://tikimade.com/uploads/1/3/0/6/130621304/fegabupasudo.pdf
    • http://handymandanny.com/uploads/1/3/0/6/130605075/3f96460cbd7c8f.pdf
    • http://switalia.com/uploads/1/3/0/8/130874285/130874285.html#aoac+procedure+for+proximate+analysis+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001838.bin
3974891db8a4ec8ec2d7bd6096109588069a4504a1a2c6a6a63e29e83c6c02e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1838 16232 bytes
font_01_sfnt_off00002ff1.bin
3e9b3ace8884f57f14d0655c1ef8eab0924c719a28c89523f52941faa438ab52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FF1 7168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.