Malicious PDF — malware analysis report

Static analysis result for SHA-256 1adc6bfd290fbc40…

MALICIOUS

PDF

38.1 KB Authoring application: SWFTools
MD5: 68f91e4f45e7b9a8fbf2ad35785667a8 SHA-1: 99a7d34716a6fed5c45f6474b6328613f6c40a73 SHA-256: 1adc6bfd290fbc408719731aff4323a279346f10c4ef49e01c3f92af7d8e763d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1598 External Remote Services

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. No scripts were extracted from this sample, limiting the ability to determine further payload delivery or execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theimagecenter.info/uploads/1/3/0/3/130313398/cf7da5d8426f66.pdf
    • http://kharmarecords.com/uploads/1/3/0/5/130544584/eb16c2a37c7128.pdf
    • http://jnsgraphiccraft.weebly.com/uploads/1/3/0/6/130639575/jotogur-nenamefaz-dazojoxojasi.pdf
    • http://qor.kz/uploads/1/3/0/3/130324065/luzejem-fabekeporagebu.pdf
    • http://lucidpapercuts.com/uploads/1/3/0/5/130588390/mareb_xiliti_fanutip.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/5/130590153/130590153.html#english+reading+comprehension+a2+level

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001116.bin
82605931ef8b442c022882d89f90df4409a41d2a42b8dd3ced6ea532bc97c4f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1116 8808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.