Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecee36eb55465330…

MALICIOUS

PDF

41.8 KB Authoring application: GIMP
MD5: 4586c6e824488cc97389ef42e02c2032 SHA-1: 2eee758cf907ed722b6daa24be02bfcbf583ccbd SHA-256: ecee36eb55465330698d351bde0559d7dac281a721c55605639e54bd1f9dde03
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, indicating a potential phishing or SEO spam campaign. The primary heuristic firing, 'PDF_SEO_LINK_FARM', confirms the presence of numerous links, with 'supernatural-wellness.com' being the dominant host. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://supernatural-wellness.com/uploads/1/3/0/3/130323251/7418714.pdf
    • http://dpaulart.com/uploads/1/3/0/4/130488073/zejegavaludi-rudefiga.pdf
    • http://burchettequine.com/uploads/1/3/0/8/130814250/6741382.pdf
    • http://tilitoimistoanjasimola.com/uploads/1/3/0/7/130776273/kumox.pdf
    • http://asianmag.net/uploads/1/3/0/6/130605380/maginuribavi.pdf
    • http://skipstonepublishing.com/uploads/1/3/0/5/130540097/vonafewegonepibine.pdf
    • http://mmarieboutique.com/uploads/1/3/0/6/130605198/jikikubebixeroz-jarekud.pdf
    • http://beavercreekanalytical.com/uploads/1/3/0/7/130740538/sigodorasutisufaf.pdf
    • http://prometheanconcepts.org/uploads/1/3/0/7/130739297/fewusakewurojo-pemakum-jawet.pdf
    • http://mudwater.org/uploads/1/3/0/7/130776502/5819271.pdf
    • http://allaboutalyssam.com/uploads/1/3/0/7/130738825/efa6290138b0.pdf
    • http://host14-smart-hause.pleasingfood.com/uploads/1/3/0/6/130604782/130604782.html#scrum+alliance+certification+exam+questions

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000310b.bin
f304d5248de4d2d535e11e5a3f00133999c598ccb7ee943f2677ab784214679d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x310B 16208 bytes
font_01_sfnt_off0000492c.bin
6802ba174f69f19d5ffa566282a625a193dbda9b783f6b88792c8f6355e2d1ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x492C 9012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.