Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f348022672bb137…

MALICIOUS

PDF

37.0 KB Authoring application: QPDF
MD5: 700bc063cd235b512f400838dbae6861 SHA-1: f2c31445943c232d6dfc463aa6876ee6ca19f9d6 SHA-256: 1f348022672bb137b72f55e007387ff5bbf8b5607678ea17b25310eff81fdce3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The primary goal appears to be directing users to a vast collection of other PDF files hosted across numerous domains, likely for SEO spam or to host phishing content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wuvepineb.weebly.com/uploads/1/3/0/6/130605135/nuwagi-wavazovusope-nipidijovu-woragam.pdf
    • http://valkrieshopgoddess.com/uploads/1/3/0/4/130476575/dabonajaxobene.pdf
    • http://sjmjkzqpgbkayi.weebly.com/uploads/1/3/0/6/130604602/faluropipimati_ziwowojikafoxi_kejelitu.pdf
    • http://theletsbehonest.com/uploads/1/3/0/2/130291463/jovipububasep.pdf
    • http://tentmakers.co/uploads/1/3/0/5/130590538/6245255.pdf
    • http://mikepaganrealtor.com/uploads/1/3/0/6/130639962/xuduxag-bixijuku.pdf
    • http://knowltonplacehomes.com/uploads/1/3/0/4/130435667/xosuwukobarewex_jojamol.pdf
    • http://zewonovem.the-future-company.com/uploads/2020/01/28/vomidewikaxif-bepopipox.pdf
    • http://racqueteerproshop.com/uploads/1/3/0/4/130478760/pepimobu.pdf
    • http://nujalikuju.shopdochoi.tech/uploads/2020/01/27/soreze.pdf
    • http://velobristol.com/uploads/1/3/0/5/130550901/getimis.pdf
    • http://dikil.boom-trikes.ru/uploads/2020/01/27/94ef83c.pdf
    • http://clspropertymaintenance.com/uploads/1/3/0/5/130590738/8597256.pdf
    • https://memopaburox.weebly.com/uploads/1/3/0/5/130551457/bd4f19.pdf
    • http://vivekiju.efficientenergy.ru/uploads/2020/01/27/libufupopi.pdf
    • http://activemech.com/uploads/1/3/0/3/130312983/030f4a90f9d9a.pdf
    • http://spicysnack.com/uploads/1/3/0/5/130551927/wanakosuja.pdf
    • http://marnimigrealtor.com/uploads/1/3/0/2/130270951/6146791.pdf
    • http://lijinimax.paypal-support-limitted.com/uploads/2020/01/28/jawubaf.pdf
    • http://mijoz.remstroi-metal.ru/uploads/2020/01/29/7921761.pdf
    • http://collier-pave.com/uploads/1/3/0/4/130483417/dujimofanogojuf_lilogatenowut_xovesepabozevo_xewup.pdf
    • http://grandcentraltradingcompany.com/uploads/1/3/0/3/130323341/23500.pdf
    • http://airscrubbersales.com/uploads/1/3/0/6/130605165/juvafar-gekegavumibe.pdf
    • http://fodozu.tele2store.ru/uploads/2020/01/28/sawavizitozex.pdf
    • http://wusaxifo.on-kot.ru/uploads/2020/01/27/f0712d3f4e0e1.pdf
    • http://mustardseedmarketinggroup.com/uploads/1/3/0/6/130640133/130640133.html#html+to+pdf+java+maven
    • http://grandcentraltradingcompany.com/uploads/1/3/0/3/130323

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017cc.bin
6f34b84d934a45838f59dc544ababd80e6720a2fb8b17d269f93ff25c918c9f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CC 7720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.