Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d31e81ee66d66a2…

MALICIOUS

PDF

48.2 KB Authoring application: Scribus
MD5: 3f381fa75c11219e4477ee1b65750306 SHA-1: 02ee90c874494438102f63f55595c328437af08c SHA-256: 1d31e81ee66d66a2a0e53a8a31b1921f1c42c49b4d8d6888219e3b7743c568c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded links to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The embedded URLs likely serve as lures to download further malicious content or redirect users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nles-boutique.com/uploads/1/3/0/6/130605182/tamimerupe_jufebedo.pdf
    • http://longmont66.com/uploads/1/3/0/6/130604113/bixinig_sokuwagoxixotu_gesukenijadevil_sajupilabale.pdf
    • http://noirnooga.net/uploads/1/3/0/3/130313091/4af1ab201b85bd1.pdf
    • http://toreyfox.com/uploads/1/3/0/6/130604039/wajafipanaxekov.pdf
    • http://c3industriesllc.com/uploads/1/3/0/5/130546294/bixogozerijub-novera-zebij-nasideke.pdf
    • https://lenunalubosejow.weebly.com/uploads/1/3/0/4/130488734/ad22673aa27525.pdf
    • https://rimenanamor.weebly.com/uploads/1/3/0/2/130289448/zorakig.pdf
    • http://zuzanar.lavka-med.ru/uploads/2020/01/28/gumuxar.pdf
    • https://bidixufob.weebly.com/uploads/1/3/0/6/130604533/8ec1482fc.pdf
    • http://rorinasifi.qpeqwqj.info/uploads/2020/01/27/witomuzuxav_derok.pdf
    • http://kovezi.holybirdsoftware.com/uploads/2020/01/29/38d23.pdf
    • http://maslooil.ru/uploads/2020/01/27/7407166.pdf
    • http://overcomeporn.org/uploads/1/3/0/2/130289651/bagadijobe_sunowuxegu_jikuwefaza_limijafufevezez.pdf
    • http://bavon.te-global.site/uploads/2020/01/28/1e2d34dd0.pdf
    • http://newvisionyouth.org/uploads/1/3/0/5/130543353/moxawivarom_duvew_wigifoxure_tafuxesuxadiwi.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/3/130323235/130323235.html#formulas+for+lateral+area+of+3d+shapes

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014de.bin
94e1967710d9550686087c5d81fcbfbf34e628d76c7401309a84b60bbd297436		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DE 8228 bytes
font_01_sfnt_off00006bfd.bin
6e2afe4324691a3c3a71b7653f03a4a599aa7dc33e86dd02acce13a6881b843a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BFD 2988 bytes
font_02_sfnt_off000075e2.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75E2 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.