Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb604d7375e37a42…

MALICIOUS

PDF

37.5 KB Authoring application: Serif PagePlus
MD5: 68b567270f1c4749404b7e8320ac6a8d SHA-1: e3b351a6a4a7b3adbffc3c962795cc9e28152041 SHA-256: fb604d7375e37a42d496eec9fd9bf6e63e95666fb255f1ce249a0903a14f539b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, as indicated by the PDF_SEO_LINK_FARM heuristic. These URLs point to other PDF files hosted on various domains, suggesting a link farm or distribution network. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. The document body itself contains a mix of text and URLs, reinforcing the link farm nature of the document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amberbowmanfit.com/uploads/1/3/0/3/130313117/3288685.pdf
    • http://polishedpad.com/uploads/1/3/0/4/130483616/4189217.pdf
    • http://behinddaytona.com/uploads/1/3/0/3/130312991/ba26450c.pdf
    • http://npnbuyer.net/uploads/1/3/0/4/130490461/5709638.pdf
    • http://mygrandmabillieskitchen.com/uploads/1/3/0/5/130540585/1efe6c5efbc7.pdf
    • http://ahealinghand.weebly.com/uploads/1/3/0/4/130483761/gukawisanijewawidub.pdf
    • http://vodisi.kuhni-msc02.icu/uploads/2020/01/27/mapeditukewonorizo.pdf
    • http://nijoko.antlermediagroup.com/uploads/2020/01/28/01689793.pdf
    • https://xopaxutozuwox.weebly.com/uploads/1/3/0/4/130435987/8206626.pdf
    • https://loselelu.weebly.com/uploads/1/3/0/5/130550783/251507.pdf
    • http://mia-and-darrell.com/uploads/1/3/0/3/130379193/verozaxageda.pdf
    • http://psychedelicsmadnessawakening.com/uploads/1/3/0/5/130551749/373324.pdf
    • http://redrivercleaningco.com/uploads/1/3/0/4/130488476/zoxufokozomu-jivovok-sovenunapid.pdf
    • http://beautybehindbars.org/uploads/1/3/0/6/130639865/wotufugasofazigutena.pdf
    • http://networkdua.com/uploads/1/3/0/6/130620232/fexojotowifupo.pdf
    • http://welcometothehub.co/uploads/1/3/0/4/130435695/130435695.html#fidic+dbo+contract+guide+2011

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001418.bin
f7e6d1d79b886276878c865be483fc0da31b0e93dac4a0653cbc2ed727466bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1418 8296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.