Malicious PDF — malware analysis report

Static analysis result for SHA-256 235274efe52d1dbb…

MALICIOUS

PDF

39.0 KB Authoring application: ImageMagick
MD5: 82153d61d6a98302bd7d5e46e74305f2 SHA-1: 58c699e74898093ede2009c49d8a703a025af6aa SHA-256: 235274efe52d1dbbd5676bb479da8430691bcbef0547bb53a310b2f2505a4d5f
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm of 31 external PDF files, identified by the PDF_SEO_LINK_FARM heuristic, indicating a phishing or redirection attempt. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The document body, though heavily obfuscated, appears to be a worksheet lure. The primary attack pattern involves directing users to a large number of external URLs, likely for further malicious payload delivery or phishing.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moreaction.co/uploads/1/3/0/3/130324351/33d43bbd4d92d68.pdf
    • http://gaoerfuyulechengaomenduchang.br3h.com/uploads/1/3/0/6/130639746/5b5e89dc29dd.pdf
    • http://www.vera-dns.com/uploads/1/3/0/5/130588987/843998.pdf
    • http://extautomotive.com/uploads/1/3/0/7/130740186/pekerulamutewu_mutakovuvena_pujeko.pdf
    • http://220-server.relap.com/uploads/1/3/0/7/130739113/nomidemikoxetixolel.pdf
    • http://www.philmlandshowcase.com/uploads/1/3/0/5/130551764/2596206.pdf
    • http://shoplarynshairtherapy.com/uploads/1/3/0/7/130775269/xekimowatapa.pdf
    • http://microsoftpost.net/uploads/1/3/0/2/130289563/danozorogo-nigasekesovusa.pdf
    • http://myforgottenself.com/uploads/1/3/0/3/130313272/fa0ce17bbbf1c.pdf
    • http://northernlightshockeynj.com/uploads/1/3/0/6/130621005/subinapewufexabo.pdf
    • http://panamericannano2017.com/uploads/1/3/0/6/130639370/9664478.pdf
    • http://bgspecancandy.com/uploads/1/3/0/4/130435833/radaf-legoki-gonekuxasuziju.pdf
    • http://www.bluemessinia.gr/uploads/1/3/0/7/130776111/9785683.pdf
    • http://theapostolicchurch-newlife.org/uploads/1/3/0/6/130621548/zaviwide.pdf
    • http://lostjedis.net/uploads/1/3/0/3/130323172/6362699.pdf
    • http://middlechildclothing.com/uploads/1/3/0/6/130603941/forenakofagepe.pdf
    • http://grahampentelow.com/uploads/1/3/0/3/130313595/130313595.html#factoring+trinomials+worksheet+coloring+activity+answers

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ad1.bin
334e62ec3aea52886e95b70df12dc424123c533ce45b822592f593c91a71fbc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AD1 8576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.