Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec3c370e52fe4a02…

MALICIOUS

PDF

36.0 KB Authoring application: Soda PDF
MD5: 8eed771b3af0d87d7794d7c3bd4f2603 SHA-1: d71c720d5f27f701b5374eb49187ed2066c797b1 SHA-256: ec3c370e52fe4a0248d4dc5ff5de82bff574fc79e7f3558a0b245236d1895484
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, all hosting PDF files with numeric slugs in their URLs. This pattern suggests a link farm or redirection scheme designed to obscure the ultimate destination or to distribute malicious content. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall further supports a phishing or traffic-driving intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crybaby.club/uploads/1/3/0/4/130435906/724aa05.pdf
    • http://ccocciboutique.com/uploads/1/3/0/6/130620345/babas.pdf
    • http://pickapassword.com/uploads/1/3/0/3/130324027/kadojojulur.pdf
    • http://nwinternationalhealth.net/uploads/1/3/0/2/130287289/6818381.pdf
    • http://synchronyled.us/uploads/1/3/0/4/130483592/9187063.pdf
    • http://digitalvisioncenter.com/uploads/1/3/0/6/130621533/10a61e5c6724e.pdf
    • http://seasonalswap.com/uploads/1/3/0/6/130605118/244957.pdf
    • http://seattlebreastfeedinghikes.com/uploads/1/3/0/5/130540507/nomunu.pdf
    • http://www.casemastersolutions.nl/uploads/1/3/0/6/130620370/1435174.pdf
    • http://vtcskate.com/uploads/1/3/0/5/130551064/6397886.pdf
    • http://mta-sts.mail.swabysessions.com/uploads/1/3/0/7/130775632/fogojubopofav.pdf
    • http://nhrealestate.org/uploads/1/3/0/7/130776735/wisefodejax.pdf
    • http://natevehealth.com/uploads/1/3/0/5/130543057/ee7f9956acb1.pdf
    • http://hostmaster.foldam.nl/uploads/1/3/0/6/130640053/2562647.pdf
    • http://createprinting.com/uploads/1/3/0/5/130551140/duredes.pdf
    • http://f-ckprobably.com/uploads/1/3/0/4/130483045/7fddb298410e1b.pdf
    • http://crm-advisors.com/uploads/1/3/0/6/130621212/lawokepatuz.pdf
    • http://northoftime.com/uploads/1/3/0/6/130620843/ziligoselovobijo.pdf
    • http://jbeili.com/uploads/1/3/0/5/130588613/2138594.pdf
    • http://presidio.me/uploads/1/3/0/2/130288709/152408.pdf
    • http://taylor--kathryn.rominastiebenphotography.com/uploads/1/3/0/5/130548039/130548039.html#alcatel+u5+hd+cene
    • http://synchronyled.us/upl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ef9.bin
92d1eb0f8dd17981d1c6c607d1856481e2ac9810148a6d55501ef32cd85153f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EF9 7340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.