Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecc8e7705290af92…

MALICIOUS

PDF

59.3 KB Authoring application: Karbon
MD5: 5a74a2dc7cc5cf71fe11454c32d810be SHA-1: 07f9ffbc019bf0dddecb7f22b3d5ad96b279024a SHA-256: ecc8e7705290af926386851e7dd37da69d35ef700a72fb30e63cc9315a3bc759
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a 'PDF_SEO_LINK_FARM', indicating a large number of external links. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a malicious intent, likely phishing or traffic redirection. The embedded URLs point to various domains, many of which are structured similarly, suggesting a coordinated effort to host or link to malicious content. The document body, though partially corrupted, contains references to 'malayalam movies links' and 'Telegram Group Links', which could be lures to entice users to click the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nnetherland.com/uploads/1/3/0/3/130313378/vojinepa_revutadurawof_fimejagerafuf.pdf
    • http://magna-core.net/uploads/1/3/0/6/130604032/1340413.pdf
    • http://weavetastic.com/uploads/1/3/0/6/130620755/sobilitebizu.pdf
    • https://deguvukoxa.weebly.com/uploads/1/3/0/5/130589998/katarujidutup_vanakadobem.pdf
    • http://3pfd.com/uploads/1/3/0/5/130589090/bebezul.pdf
    • http://theskinnhaven.com/uploads/1/3/0/4/130476075/90348a8b.pdf
    • http://cardiffhomedesign.com/uploads/1/3/0/6/130639397/7817553.pdf
    • http://dynamicathleticcenter.com/uploads/1/3/0/6/130620950/3018972.pdf
    • http://mountaintownyoga.weebly.com/uploads/1/3/0/4/130483110/bedogakew.pdf
    • http://navomstheatre.weebly.com/uploads/1/3/0/2/130289424/bavofiwa-pavititulu-wanixabeb.pdf
    • http://michaelshusko.com/uploads/1/3/0/4/130477448/130477448.html#latest+malayalam+movies++links

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012a0.bin
7aab601db091cac09cc9a1319da53cd2714b9cca5ab74ff4ab96a2a7925bfc1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A0 8784 bytes
font_01_sfnt_off00005fba.bin
c38f17cb8dbbcb0db83a1142be40b1f739bc05b6dee14d0fd7d6623cb34fa13a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FBA 6420 bytes
font_02_sfnt_off00006f79.bin
a2ec0d702e67eb61c7d01cd16c6f8f321f8ec0089200686bf0ecf7f9e3122b52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F79 3084 bytes
font_03_sfnt_off000079c2.bin
106ffab7b04739fd8931330250c332e493bc6a6760f3775871cc2310f184dd20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79C2 9100 bytes
font_04_sfnt_off00008ac3.bin
66719565f72347ee217ef9be834acf403dce26b2c108a4ed07d8d14a24aa106b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AC3 7492 bytes
font_05_sfnt_off00009f10.bin
aeabee062e0802bb80900320c5806b63fbcaf4c8e76a4605585bb8de5f14cd9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F10 16564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.