Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5ba8f8415af26a3…

MALICIOUS

PDF

30.8 KB Authoring application: Soda PDF
MD5: 540c5e68e0d7a4692df7a901c0081d2b SHA-1: a43d891ce0c200a03b316d0b7d8638d0f8b49070 SHA-256: f5ba8f8415af26a387e20c4f8afad3aa162b47fdf21fab42e5c0e07352af6cd3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, indicating a link farm likely used for SEO manipulation or to redirect users to phishing or malware sites. The document body content is heavily obfuscated and unreadable, providing no further clues about the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kmfxmentorr.com/uploads/1/3/0/4/130488169/rubamagab_sefuweno_wokamoge.pdf
    • http://defininggreen.com/uploads/1/3/0/6/130604850/8c84a.pdf
    • http://eddiecastle.com/uploads/1/3/0/4/130435611/babilanunepaju.pdf
    • http://www.sextonhomeinspection.com/uploads/1/3/0/5/130551116/ee1c9ad3ac03.pdf
    • http://brookeastormusical.com/uploads/1/3/0/6/130639406/xenuzuw.pdf
    • http://www.urbanmotions.com/uploads/1/3/0/6/130621583/vugajama-sevuvubugu.pdf
    • http://naruebordin.com/uploads/1/3/0/4/130483809/2772891.pdf
    • http://stlouiswireless.net/uploads/1/3/0/6/130621995/sasulerug-pegokitovidel.pdf
    • http://silviazucchetti.com/uploads/1/3/0/5/130551704/4996756.pdf
    • http://riellyrealty.com/uploads/1/3/0/8/130813921/4290790.pdf
    • http://www.kother.nl/uploads/1/3/0/5/130550693/6942459.pdf
    • http://host49.carmichaelnl.com/uploads/1/3/0/5/130546880/130546880.html#dead+poets+society+full+movie+in+hindi+download+filmyzilla

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001ed5.bin
91ce2a2e7064b315410a2aba43f1cafcfc697eca5cf5b7f8ff713c6a3d367126		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ED5 9368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.