PDF malware analysis — malicious · 20d4d6596a667c13

MALICIOUS

PDF

52.0 KB Authoring application: QPDF

MD5: 899c4814489c84875cde85fb2acd6cdd SHA-1: 0e1fcfc9686c895e1da994f68662fc0967b6ad4f SHA-256: 20d4d6596a667c13b372886c19faeb9ffb7c3e23a0b0c845fddeccef7435844d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, identified as a link farm, designed to redirect users to malicious PDF content. The document body, though heavily obfuscated, attempts to lure users with a 'Netflix android tv apk mod' pretext. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a phishing and malware distribution campaign.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://sobeditol.asdklo.xyz/uploads/2020/01/28/ralekuralojej_menutilulofo_tigofe.pdf
- http://predictivetrial.com/uploads/1/3/0/2/130272281/bizaki-ruxaruranajesow-jinog-wavunijenuzatu.pdf
- http://itsfreshtogo.com/uploads/1/3/0/3/130313766/jumasarita_bafilerexukabom_rubunofurenidis_wutez.pdf
- http://jiradaj.gcointrading.com/uploads/2020/01/29/widunufonitud_lixotawi.pdf
- http://scout-troop76.com/uploads/1/3/0/2/130272579/gugasaxoduvi-gugifivoket-xokaburutegutig.pdf
- http://mytexanlife.com/uploads/1/3/0/5/130588658/3068911.pdf
- http://marieequi.com/uploads/1/3/0/5/130589150/fekirotoropevon.pdf
- http://mumugepina.saojose.online/uploads/2020/01/28/jedudunuzi_filoribura_rafodasiwesub_lezesazu.pdf
- http://jag.moiklining.ru/uploads/2020/01/27/eed106ab2d.pdf
- http://sgarrigues.net/uploads/1/3/0/6/130603931/sorigiwasurop.pdf
- http://zenarug.vigolinks.com/uploads/2020/01/29/fiker.pdf
- http://nothingeasylifestyle.com/uploads/1/3/0/6/130621818/duwomojonu_funikibekivur_romivofovogusa.pdf
- http://aztecwhistles.com/uploads/1/3/0/5/130540525/1528496.pdf
- http://chazstyles.com/uploads/1/3/0/6/130621844/popobinoxaxen_retag.pdf
- http://crossingbridgeslifecoaching.com/uploads/1/3/0/5/130544190/zupevubejeti.pdf
- http://silviojimenez.com/uploads/1/3/0/6/130621153/zakixetijem.pdf
- http://k-co.shop/uploads/1/3/0/6/130621223/ce8809c5f80286.pdf
- http://naturesbeautysc.com/uploads/1/3/0/2/130270924/9002445.pdf
- http://bolcar.com/uploads/1/3/0/5/130552034/lukegusu.pdf
- http://mayahabian.com/uploads/1/3/0/4/130483748/8245457.pdf
- http://chewoncakes.com/uploads/1/3/0/3/130323163/3be4c859a6a8cd0.pdf
- http://principalgneely.com/uploads/1/3/0/5/130550857/fewefuweximisemaviz.pdf
- http://rochecenter.org/uploads/1/3/0/4/130476141/130476141.html#netflix+android+tv+apk+mod

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001724.bin` `15d41ea9c14a424a27cab413cb7c5a0366312b9f0650ce831f5b9162ab67d460`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1724	8800 bytes
`font_01_sfnt_off000079ad.bin` `fafefca58569ab71c98438c913b939156ad2bf3ace198f4deac40d55ed74543d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79AD	1844 bytes
`font_02_sfnt_off00008237.bin` `11e54483a472b7626fd2cc4b1ded60b4c9464f2d11500406aae50e2bf43ff030`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8237	16720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.