Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c9c4af50dab9c87…

MALICIOUS

PDF

47.6 KB Authoring application: Soda PDF
MD5: 7dabe15c036ff9f5b50d050bf76242bf SHA-1: 6ef76e989eca91b5ea5c2c0b686f1b2a4dcd7506 SHA-256: 1c9c4af50dab9c8787d46971768e49559b2e19e4a74cd1448c73917d7d67e000
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. No scripts were extracted from this sample, and the document body is heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://comoiniciarunnegocio.net/uploads/1/3/0/6/130603743/6886612.pdf
    • http://youarebow.com/uploads/1/3/0/6/130604109/dewoxitowed-rurowon.pdf
    • http://nivafoundation.com/uploads/1/3/0/5/130544318/jofukajataputol-gususubufe-tepeb.pdf
    • http://neptuneinvesting.com/uploads/1/3/0/8/130814021/64bc07fd0037de.pdf
    • http://aussiebeachfun.net/uploads/1/3/0/7/130775531/xebanires.pdf
    • http://azbasketballcoaches.com/uploads/1/3/0/6/130639561/6102421.pdf
    • http://reefnine.com/uploads/1/3/0/7/130739732/82c7f75.pdf
    • http://www.drasclass.com/uploads/1/3/0/4/130489499/24518f1f.pdf
    • http://nw-citytricks.com/uploads/1/3/0/6/130621926/jomoxulivixur.pdf
    • http://ngemi.net/uploads/1/3/0/5/130588360/kerokokonufugi.pdf
    • http://latinasazon.com/uploads/1/3/0/5/130589135/kezisilowugisufala.pdf
    • http://flebdevelopment.com/uploads/1/3/0/6/130604793/7368296.pdf
    • http://imphony.net/uploads/1/3/0/6/130604401/suvalovopiwixe-mumasimafol-vifetizi.pdf
    • http://www.mysearchforyou.com/uploads/1/3/0/6/130605442/1475516.pdf
    • http://redondobeachheating.net/uploads/1/3/0/6/130604425/4423.pdf
    • http://jdmgallc.com/uploads/1/3/0/7/130739020/lixebitov-susun-dinol-womivok.pdf
    • http://2210enterprisedrive.com/uploads/1/3/0/3/130313157/jamodovivinikonafero.pdf
    • http://aliciathoms.com/uploads/1/3/0/7/130740130/6445570.pdf
    • http://raku-pottery.com/uploads/1/3/0/2/130287413/pikuzewiwifi.pdf
    • http://www.hitimothy.com/uploads/1/3/0/9/130969621/4881990.pdf
    • http://sonshineflowersandgifts.com/uploads/1/3/0/5/130588613/kesum.pdf
    • http://oilyworks.com/uploads/1/3/0/6/130620478/lejaziwubuvip_wiloluju_monajovuwuxi_sesapigafu.pdf
    • http://sff7l.salon225.com/uploads/1/3/0/4/130483886/130483886.html#cover+letter+for+cv+template

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005856.bin
aed13a0a6dc52e02b495574d57d630da65f2a99a04b23738b5485827328dac3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5856 8304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.