Malicious PDF — malware analysis report

Static analysis result for SHA-256 26b4f6f0d1f469c3…

MALICIOUS

PDF

39.8 KB Authoring application: QPDF
MD5: 6ae530f31acf0d0907334a75cbe75e3f SHA-1: c31d150ba4e1939c0a0696e01c27fbca66cd80dd SHA-256: 26b4f6f0d1f469c36cb6f1dba641aa6ec2285101a32f01a98e986b4c29229289
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links likely lead to malicious content, as suggested by the ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0. The embedded URLs point to various domains, many of which are associated with hosting downloadable PDF files, suggesting a phishing or malware distribution campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://speacetech.us/uploads/2020/01/27/kusas.pdf
    • https://zotoxudegawawom.weebly.com/uploads/1/3/0/4/130483163/8234047.pdf
    • http://maxaseja.marketingdigitalpolitico.com/uploads/2020/01/29/sazev.pdf
    • http://jolu.jitoli.icu/uploads/2020/01/29/pilogurox.pdf
    • https://jefezaxi.weebly.com/uploads/1/3/0/2/130274263/4637748.pdf
    • https://betujemaw.weebly.com/uploads/1/3/0/4/130483402/mukoverur.pdf
    • http://texime.biohimchistka.ru/uploads/2020/01/27/nalugogus.pdf
    • https://wetagobin.weebly.com/uploads/1/3/0/3/130323161/5fed4ee83.pdf
    • http://hutchinsontransport.com/uploads/1/3/0/5/130590710/1365646.pdf
    • https://wuginexaxegel.weebly.com/uploads/1/3/0/2/130270740/979a8.pdf
    • http://limopifib.ecsog.ru/uploads/2020/01/29/8287492.pdf
    • http://turi.flame.company/uploads/2020/01/27/norixota_tepuxisemufo_dixopaj.pdf
    • http://kingofthecooptampa.com/uploads/1/3/0/6/130621583/130621583.html#face2face+advanced+second+edition+teacher%27s+book+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016db.bin
7fd9e861eb309c54d8403cd270cf07fc41873ff51e975c359f899c371e548473		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16DB 12888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.