Malicious PDF — malware analysis report

Static analysis result for SHA-256 19c1cc8a9a806779…

MALICIOUS

PDF

42.7 KB Authoring application: pdf-parser
MD5: 3f7f27fedeeeade52a50c43c422fc918 SHA-1: 1ffc521231f32130bf491cc95c8acde3380a9258 SHA-256: 19c1cc8a9a8067793d6e20243335bf1b264387c66215fdfe5c2bc18a198292d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to other PDF files hosted on various domains, indicating a link farm strategy. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The embedded links are likely used to distribute further malicious content or lead users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://juliethegardenfairy.com/uploads/1/3/0/8/130814729/zutesetak_pujifoxogofe_kevuvini_sobabe.pdf
    • http://paintingwithjustin.com/uploads/1/3/0/5/130541272/f5ebedc61a.pdf
    • http://codywbuck.com/uploads/1/3/0/2/130270742/kilogoxolupebu-serewarom-puwoxiruvi-wosejari.pdf
    • http://berkeywaterfiltersource.com/uploads/1/3/0/6/130604487/da4fc3.pdf
    • http://staurfoods.net/uploads/1/3/0/4/130476207/65d85547e31.pdf
    • http://shilor.com/uploads/1/3/0/6/130604470/8232984.pdf
    • http://thetowerdistrict.com/uploads/1/3/0/6/130639658/raxubo.pdf
    • http://daddysduties.com/uploads/1/3/0/5/130590278/1240092.pdf
    • http://nest.hatch.vn/uploads/1/3/0/5/130540010/530752.pdf
    • http://ourbirthdayfairybooks.com/uploads/1/3/0/8/130813852/2668512.pdf
    • http://mail.nickmosca.com/uploads/1/3/0/6/130621436/malun.pdf
    • http://joyfulrevenge.com/uploads/1/3/0/4/130476372/rofabidil.pdf
    • http://thankheaven.com/uploads/1/3/0/4/130476322/fozotati.pdf
    • http://bumbleandsprout.com/uploads/1/3/0/6/130604083/8fe05b6a848ee67.pdf
    • http://movingcompanyokc.com/uploads/1/3/0/2/130289597/pumutog.pdf
    • http://mojofinancialservices.com/uploads/1/3/0/5/130538836/rokabuguniva.pdf
    • http://74-123-77-223.mgwnet.com/uploads/1/3/0/6/130620952/130620952.html#english+short+stories+upper+intermediate+level
    • http://thetowerdistrict.com/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ae0.bin
87cdfc3bb5039741a2125e94e4a0f17f078641037fe72566bba823e4b6341244		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AE0 8140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.