Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b389e6deee96466…

MALICIOUS

PDF

36.6 KB Authoring application: Scribus
MD5: 86714d08934e44ea10c5329f2ff97dcb SHA-1: fde3d353ed0a9626d2f5e5ff142394c68793355b SHA-256: 1b389e6deee96466d90583a1cf77b159c947941baafcc7efe628a85c49ae81d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' reinforces the malicious nature of this file. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://morganschaeffer.com/uploads/1/3/0/4/130435673/kubofupebuto_wefanoxa.pdf
    • http://nylasvanity.com/uploads/1/3/0/7/130738889/judetibuwazikiwaluku.pdf
    • http://neuroplastique.com/uploads/1/3/0/5/130545885/mewop-medabozori-wesezafibaxa-dobudum.pdf
    • http://bonkerforbyram.com/uploads/1/3/0/2/130287283/2653064.pdf
    • http://composers.directory/uploads/1/3/0/5/130588922/ba3f5e230d.pdf
    • http://trinityresourcing.co.uk/uploads/1/3/0/4/130476462/152d1cf055f8.pdf
    • http://prologismidline.com/uploads/1/3/0/5/130588588/wufarolewe_tubalasoluvuxud.pdf
    • http://servicedapartmentbangkok.com/uploads/1/3/0/7/130739564/1587098.pdf
    • http://tdpnc.com/uploads/1/3/0/5/130551824/danoluzikanon.pdf
    • http://fail-ng.com/uploads/1/3/0/6/130604193/2bbb3e3.pdf
    • http://sovereignbirth.com/uploads/1/3/0/5/130551247/ludivuporuwaz.pdf
    • http://wangluoyouxibalidaoyulecheng.br3h.com/uploads/1/3/0/7/130776535/puxiboxazuriruvu.pdf
    • http://animalmatters.com.au/uploads/1/3/0/5/130539843/8213585.pdf
    • http://therussianstudiospa.com/uploads/1/3/0/4/130436362/wagubabet.pdf
    • http://playlearnchange.com/uploads/1/3/0/5/130589402/nufofeb.pdf
    • http://pocketndt.net/uploads/1/3/0/3/130323445/75e1b.pdf
    • http://davidquy.com/uploads/1/3/0/6/130605162/pasemeletijenul.pdf
    • http://worthytechservices.com/uploads/1/3/0/7/130775813/waboxena.pdf
    • http://officer.mediutopia.com/uploads/1/3/0/4/130435842/130435842.html#residential+building+construction+steps+pdf
    • http://wangluoyouxibalidaoyulecheng.br3h.com/uploads/1/3/0/7/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000318c.bin
641eac1d2be5b085241d3f0eeb5708275960e5b17e746bcc444cd4a91bc9ce56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x318C 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.