Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9d45076503cfffe…

MALICIOUS

PDF

41.9 KB Authoring application: ImageMagick
MD5: 449899cefff9033d07be35b66f6e4d32 SHA-1: da141bf201ed19075cc4b594337ce8e73d291d2f SHA-256: e9d45076503cfffe0756e2c6e6e7b5ba935c1fa12522e10243117c2a701f40da
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lpcoalition.com/uploads/1/3/0/5/130551132/7159993.pdf
    • http://mrandmrsmusicco.com/uploads/1/3/0/4/130475918/puxibepip.pdf
    • http://mohammedalraisart.com/uploads/1/3/0/4/130476359/lawilebiberupoxam.pdf
    • http://moobesity.com/uploads/1/3/0/6/130639337/nugolerejinos_kelanurawivak_nasekiruluj_putudeka.pdf
    • http://blockfortcolumbus.shop/uploads/1/3/0/5/130539125/72dbb2448687e48.pdf
    • http://spyclan.com/uploads/1/3/0/7/130775665/8634515.pdf
    • http://juderus.com/uploads/1/3/0/8/130814065/9223534.pdf
    • http://www.rtodradio.net/uploads/1/3/0/3/130313098/3d6293ecd6.pdf
    • http://nannymoscow.ru/uploads/1/3/0/7/130776269/vawifuru-desapil-febubiz-lifodelefebiz.pdf
    • http://travelwithcowboyandhippie.com/uploads/1/3/0/2/130289732/2758678.pdf
    • http://nourishformulas.com/uploads/1/3/0/3/130379596/finewapuxo.pdf
    • http://sub2000ati.com/uploads/1/3/0/5/130589431/4ae8f0cf.pdf
    • http://alaskacharr.org/uploads/1/3/0/6/130639899/fasodo.pdf
    • http://juvefc.football/uploads/1/3/0/7/130740318/8684849.pdf
    • http://classiccityfirewood.com/uploads/1/3/0/5/130538937/janapun_xifepu_femaxutuvafelit_juwejosak.pdf
    • http://vps23.pleasingfood.com/uploads/1/3/0/2/130270996/130270996.html#riptide+ukulele+chords+fingerpicking

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039e4.bin
849863ed3c933cec7e0abe7c6f0471356410a4a8b2d51ade85b211dcfeb6b2fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39E4 8128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.