Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee0dea11ace955d7…

MALICIOUS

PDF

44.3 KB Authoring application: Mobipocket Creator
MD5: ee873987564059969ee94f3317954ef7 SHA-1: 0130ae9966975fe3d10bd47fba5bc924a26da8d9 SHA-256: ee0dea11ace955d746797633ca9f03ff48de682434085d7a1bea411452e3c00b
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. The heuristic 'SE_URGENCY_LURE' indicates the document text likely contains language designed to create a sense of urgency. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary attack pattern involves luring the user to click on one of the embedded links, which likely leads to further malicious content or downloads.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://universalfrequencies.com/uploads/1/3/0/6/130621775/taziwexegepipe-molekatul-jigavinuwobupe-mowuzipemigop.pdf
    • http://dpaulart.com/uploads/1/3/0/4/130476158/pazux.pdf
    • http://discoveryislandschamber.com/uploads/1/3/0/2/130272365/jixizim-doxabelozob.pdf
    • http://jordanlosesweight.com/uploads/1/3/0/6/130605104/7331336.pdf
    • http://yincaravana.com/uploads/1/3/0/4/130490584/38d1b.pdf
    • http://islamicfinancenorthamerica.com/uploads/1/3/0/4/130436362/kolirigaxikurex.pdf
    • http://yolozwolle-lekkerpuh.nl/uploads/1/3/0/6/130639220/zibuwaju.pdf
    • http://thehnossaproject.com/uploads/1/3/0/3/130379814/130379814.html#firebase+analytics+android+events

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011ed.bin
5bc16b34cd234b93743e648c26d2ab0b33a32300ad8843932e12037812479d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ED 9000 bytes
font_01_sfnt_off00006719.bin
65ca2fa633a49bc637c245e3469a24bec82cbb291b9200d770c42ee2df1588ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6719 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.