Malicious PDF — malware analysis report

Static analysis result for SHA-256 2345c849aa84667f…

MALICIOUS

PDF

49.7 KB Authoring application: PDFBox
MD5: 4ec34b1c9fde186edf6ed86620dd6409 SHA-1: f3c39b68076230692513bdf3434c2fdca4fa17f8 SHA-256: 2345c849aa84667f99c6af899144d141a27853743d314be7321a3da3305edd52
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO or malicious redirection. The document body, though heavily obfuscated, contains text related to software downloads, and a critical heuristic indicates instructions to disable security software. This combination strongly suggests a phishing or malware delivery attempt. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports this assessment.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://holy-post.net/uploads/1/3/0/6/130621330/6316601.pdf
    • http://thevillagemiami.com/uploads/1/3/0/6/130639629/847895.pdf
    • http://yukonstoneoutfitters.com/uploads/1/3/0/8/130814057/kusunirajofoxib_napizaburemif_domemodebug_nidemifebumi.pdf
    • http://dmicreativemanagement.com/uploads/1/3/0/3/130313158/f5e43c022230.pdf
    • http://kinetic-k9.com/uploads/1/3/0/6/130604304/bubage.pdf
    • http://koawarriors.com/uploads/1/3/0/2/130272880/larukirekiwixakunaf.pdf
    • http://nancyhamiltonmyers.com/uploads/1/3/0/7/130776324/7378128.pdf
    • http://surpluspost.net/uploads/1/3/0/4/130488914/9455668.pdf
    • http://oldfieldtubeamps.com/uploads/1/3/0/4/130435602/4686855.pdf
    • http://menagainstcancer.net/uploads/1/3/0/6/130640057/6043533.pdf
    • http://kapilgupta.net/uploads/1/3/0/3/130313167/fikigomig.pdf
    • http://boshuster.org/uploads/1/3/0/7/130776874/276620.pdf
    • http://roslyn.online/uploads/1/3/0/6/130605506/77ff82.pdf
    • http://level7atl.com/uploads/1/3/0/4/130488786/4267688.pdf
    • http://maidofstars.co.uk/uploads/1/3/0/4/130489358/e517c01f90fe59.pdf
    • http://myentouragemusic.com/uploads/1/3/0/2/130272342/130272342.html#adobe+photoshop+elements+9+windows+10+download

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003bac.bin
4d97b047b6d56c7a29084cf70f6349bde9474518ee6674538683765d3fce4bee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BAC 5396 bytes
font_01_sfnt_off00004c59.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C59 16036 bytes
font_02_sfnt_off00006431.bin
60fdfc27ff62ad4152000e5a58b4ade0e9ecdbd318a128d07ce51851ee62d889		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6431 9456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.