Malicious PDF — malware analysis report

Static analysis result for SHA-256 efc5fb14d76ee028…

MALICIOUS

PDF

37.3 KB Authoring application: PDF Studio
MD5: 414e68b9a21f5e737beb655ae45e5548 SHA-1: 2cb2538aef117aef9b0bbf8c5710ae8c3a19eb3a SHA-256: efc5fb14d76ee0289a1b5f2121bd0ac09e79b6959dde708ed53168fc5d0677ce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external PDF links, indicating a link farm designed to redirect users. The primary heuristic 'PDF_SEO_LINK_FARM' confirms this, highlighting the dominant host 'websitemakentips.com' and its associated links. The document body contains garbled text and references to 'PDF Studio', suggesting it is a lure document. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://websitemakentips.com/uploads/1/3/0/5/130551925/1389885.pdf
    • http://zimo.evergy.ru/uploads/2020/01/29/nekivusisoxunarasa.pdf
    • http://lutupoloxo.rostov-posutochno.ru/uploads/2020/01/28/eb7ef7f1104.pdf
    • http://220602shopsss01.fun/uploads/2020/01/27/xovunonajupuni-gosoga-riraso.pdf
    • http://slmx.com/uploads/1/3/0/6/130620863/wamediro_menenukakad.pdf
    • http://werajidinu.agicole-acces.com/uploads/2020/01/29/woboxi.pdf
    • http://taylormaids.org/uploads/1/3/0/3/130313700/fufukeveremalajuvov.pdf
    • https://vuwenenur.weebly.com/uploads/1/3/0/5/130545249/fipodaf.pdf
    • http://mosbonavto.ru/uploads/2020/01/27/6256785.pdf
    • http://atvgorky.ru/uploads/2020/01/28/fasosa.pdf
    • https://nogukebu.weebly.com/uploads/1/3/0/5/130550925/ludewuza.pdf
    • https://ketadalipozo.weebly.com/uploads/1/3/0/5/130589050/wufaparotipa.pdf
    • http://goki.hayatimbirfilm.com/uploads/2020/01/29/wapen-lesano.pdf
    • http://laf.listicdana.com/uploads/2020/01/28/mopejiga_xofukivitiw_rapax.pdf
    • http://jafan.copyrightcontact-1000041832095.com/uploads/2020/01/28/wegege.pdf
    • https://zamilerix.weebly.com/uploads/1/3/0/5/130590509/6717561.pdf
    • http://bunufep.maturitas.ru/uploads/2020/01/28/7357959.pdf
    • http://azpadu.com/uploads/1/3/0/5/130588983/0e91a82166.pdf
    • http://evaairways.org/uploads/1/3/0/5/130539940/130539940.html#chibi+knight+hacked+unblocked

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014dc.bin
5a789dfc8e61467f80021c65e2790c91052add93215d7e77f766b2e340ad72b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DC 7776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.