Malicious PDF — malware analysis report

Static analysis result for SHA-256 f60ea3e2333eee89…

MALICIOUS

PDF

32.1 KB Authoring application: Smallpdf Desktop
MD5: 8f1b08186e26f72d2a6c0276e6829581 SHA-1: 2477c51e4e6c4bd5ec954521c0f3e4169d666d42 SHA-256: f60ea3e2333eee89bf928ea81b6ebe8788815444a4af5a7bb6f8eceb22b90de6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, while containing some seemingly legitimate text about house plans, also includes these links, suggesting a phishing or redirection attempt. The ClamAV detection further supports its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are the primary indicators of compromise, likely leading to further malicious content or downloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fuckcharucki.com/uploads/1/3/0/5/130590555/2615347.pdf
    • http://laughingduck.org/uploads/1/3/0/3/130324416/pujim.pdf
    • http://skylighthk.com/uploads/1/3/0/6/130604520/pokizezu-rezeredexavofej-jesefefukotufi.pdf
    • http://ndp3.net/uploads/1/3/0/6/130620764/dudelevetuwek-vevor-gogewagefab.pdf
    • http://juliejesternewman.com/uploads/1/3/0/8/130874238/130874238.html#3+bedroom+house+plan+indian+style+east+facing

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001074.bin
1e21feeb1c5b869e97f1a90f36f877cb52cecb27ae7bf4765ac9876a612660b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1074 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.