Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a5a03de64461eae…

MALICIOUS

PDF

31.5 KB Authoring application: Scribus
MD5: 6e65cc402d0625003b341dea5e97d18a SHA-1: 9672429d19d709298f3742a636051b5780a58920 SHA-256: 1a5a03de64461eae8552740a511ad07ed88ea97bd34d3f0b00eeb84ccd5e44c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for a link farm, containing 24 external PDF links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The embedded URLs are likely used to distribute further malicious content or redirect users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://autosearjig.com/uploads/1/3/0/5/130550758/lelabowenek-sugaf-gipetijaso-jagis.pdf
    • http://njointeriors.com/uploads/1/3/0/3/130379299/303c5.pdf
    • http://mssarkisclass.com/uploads/1/3/0/6/130621801/ac1e5484dd44a2.pdf
    • http://theatrestudentunion.com/uploads/1/3/0/2/130271128/zenibebiwu.pdf
    • http://afuture-ahope.com/uploads/1/3/0/6/130621798/sunilaw-dagodubi-zigumegipibi-tawakanuxuzozij.pdf
    • http://djspizza1.com/uploads/1/3/0/2/130270900/sudulazelitunumir.pdf
    • http://doodlebugblessingsgoldendoodles.com/uploads/1/3/0/3/130313022/bixapomodo.pdf
    • http://mikeandeli.nyc/uploads/1/3/0/4/130435657/5781637.pdf
    • http://kulshanclayworks.com/uploads/1/3/0/6/130640091/8055459.pdf
    • http://modestomasonry.com/uploads/1/3/0/5/130543545/puzilunifi-wimevig.pdf
    • http://sacred-journeys.net/uploads/1/3/0/6/130621673/23c712.pdf
    • http://superspysaucecompany.com/uploads/1/3/0/3/130323998/06f9ad77.pdf
    • http://bejustalittlebetter.com/uploads/1/3/0/6/130639990/130639990.html#bosch+glm+40+professional+laser-+distanzmesser

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000134e.bin
fbdbca68fcb9e84c323a9f96f0247b2588c2bd9e4709c6661c8fe5cd130f0d6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134E 8368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.