Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e4dee4c24c93229…

MALICIOUS

PDF

64.5 KB Authoring application: PDFBox
MD5: 650b73d662adbbfd136d719df16112f1 SHA-1: 4110929acc60afc396832e845ea6d3cfd94e7489 SHA-256: 1e4dee4c24c932292013e5b9b17fd03a047ae0cde8326b28efdc4752f83f9b18
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The document body, though heavily obfuscated, contains URLs that are likely part of this link farm, suggesting a phishing or malware distribution campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mespinozamen.com/uploads/1/3/0/8/130815664/jawunefazakak.pdf
    • http://midwaytacticalgear.com/uploads/1/3/0/3/130313428/e8de17b22.pdf
    • http://mfest.com.au/uploads/1/3/0/5/130552053/zudakijetowigu-xotubologusut.pdf
    • http://getmedeal.com/uploads/1/3/0/6/130639611/5167285.pdf
    • http://victoryhealthcarecenter.com/uploads/1/3/0/7/130739016/fofigunonafake-makixonurofog-dazawalo.pdf
    • http://isaglobal.org/uploads/1/3/0/5/130542780/36b39fca.pdf
    • http://lilyfairgifts.com/uploads/1/3/0/5/130543575/8845241.pdf
    • http://hostmaster.livephierce.com/uploads/1/3/0/8/130813317/4861202.pdf
    • http://www.fifipheromone.com/uploads/1/3/0/6/130620594/6ebbec7.pdf
    • http://www.harpsmobilephotography.com/uploads/1/3/0/5/130588681/xixojenifalovi_nipefurujo_desakumip_tiraz.pdf
    • http://marcusphotography.net/uploads/1/3/0/6/130620551/6164362.pdf
    • http://nolimitexcavating.com/uploads/1/3/0/6/130639513/3791561.pdf
    • http://neibaurart.com/uploads/1/3/0/2/130289496/f32b71082bf09.pdf
    • http://craftandcorkkitchen.com/uploads/1/3/0/4/130488846/wexarejesep.pdf
    • http://lumicharmed.com/uploads/1/3/0/7/130740375/verudemadi-xikuli.pdf
    • http://artisaneatware.co.za/uploads/1/3/0/6/130603763/5003b95e0b7.pdf
    • http://martahewett.net/uploads/1/3/0/5/130545098/zoxitakezenenut.pdf
    • http://northparkvoicestudio.com/uploads/1/3/0/7/130739239/1ac473.pdf
    • http://accidentattorneypocatello.com/uploads/1/3/0/7/130774999/7acfe09.pdf
    • http://nurtureunow.com/uploads/1/3/0/5/130588841/6889579.pdf
    • http://sno-ops.org/uploads/1/3/0/6/130603913/zepun.pdf
    • http://metroheatingandair.com/uploads/1/3/0/7/130738914/vuwofopobowak_wekuwoxi_wakiv.pdf
    • http://psinco.com/uploads/1/3/0/5/130550748/006b6472fc1.pdf
    • http://xianshanghongtaokyulecheng.br3h.com/uploads/1/3/0/4/130483338/130483338.html#acgih+screening+criteria+for+heat+stress+exposure
    • http://sno-ops.org/uploads/1/3/0/6/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001773.bin
3fed5d04454d742ebb7dc33eb3621157b270cf09ae86881619e6819d21dbd003		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1773 9832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.