Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec2878dce3f670d3…

MALICIOUS

PDF

51.9 KB Authoring application: Mobipocket Creator
MD5: 876dcbb8c5ab2e4257a7a5d1aaa2bb4a SHA-1: e721680a9a407e0f6b0989d66a0c164b7d172136 SHA-256: ec2878dce3f670d3064cd35a8aef82e2a593cf0c3d127b92829a6760e46f451e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. The presence of urgency language in the document body further supports a phishing or malicious redirection attempt. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 confirms the malicious nature of the file.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://latolaw.com/uploads/1/3/0/7/130775763/fugodaredot.pdf
    • http://communitiesdefendingdemocracy.us/uploads/1/3/0/6/130620340/terofijif-kudoka.pdf
    • http://www.guestfrance.com/uploads/1/3/0/5/130551335/72aac.pdf
    • http://starbagsptsd.com/uploads/1/3/0/6/130605017/550e293796b23b.pdf
    • http://cumyum.org/uploads/1/3/0/6/130605302/fe39e.pdf
    • http://calhounheritagep.com/uploads/1/3/0/5/130551335/714754b0b7598.pdf
    • http://nicolasintheoldmarket.com/uploads/1/3/0/5/130551935/d1e98de41fdea4.pdf
    • http://fullerealty.com/uploads/1/3/0/6/130605492/gozena.pdf
    • http://oldmilltradingco.shop/uploads/1/3/0/5/130590336/jojaxujefigu_girogik_guxojotera.pdf
    • http://mimibug.com/uploads/1/3/0/4/130488121/jadewajozijitata.pdf
    • http://ballalae.com/uploads/1/3/0/7/130739806/5306790.pdf
    • http://ajvincentproductions.com/uploads/1/3/0/5/130539204/wavuduvebe_susirupevufu.pdf
    • http://bestlimoservicelosangeles.net/uploads/1/3/0/5/130550729/8531397.pdf
    • http://webdisk.stefanaarnio.com/uploads/1/3/0/7/130739719/130739719.html#vte+prophylaxis+guidelines+nice

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000131c.bin
a94e7bd9266f1bec15b1f8b5ca8a6cc2765d80186bd196e6e985e86c32a46b0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131C 7400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.