Malicious PDF — malware analysis report

Static analysis result for SHA-256 275583989e2c8b0f…

MALICIOUS

PDF

40.9 KB Authoring application: pdf-parser
MD5: 7cb8bad92dc3629f135b98870ad46200 SHA-1: c209d62b0700f64a4eed13d3a2a6265b0c4020b2 SHA-256: 275583989e2c8b0f5301b4be13c95dd0f2171f357060d2807f7fd902a01f6792
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique commonly used for phishing or distributing further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection purpose. The heuristic 'PDF_SEO_LINK_FARM' confirms the presence of a link farm, indicating a deliberate effort to direct users to external content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mycultureprints.com/uploads/1/3/0/5/130540097/xalipubalosinudilun.pdf
    • http://pogranichnik.store/uploads/1/3/0/5/130551081/sorifazavofakorogi.pdf
    • http://jornadasadopcionzaragoza.com/uploads/1/3/0/5/130545421/muposava_xajipoxovewi_watuzuxe.pdf
    • http://saratogainst.org/uploads/1/3/0/2/130272275/9651682.pdf
    • http://thunderbirdsprings.com/uploads/1/3/0/5/130547150/zazelujokov-paxuniliw-gumesaxinipuzu-bewisor.pdf
    • http://tanrstein.com/uploads/1/3/0/7/130739333/zebuwo.pdf
    • http://miguelchanonafotografo.com/uploads/1/3/0/7/130739830/69820870.pdf
    • http://servicepartnervanderveenassen.nl/uploads/1/3/0/7/130739288/nowidokibik.pdf
    • http://mail.according2genesis.org/uploads/1/3/0/5/130544889/4977434.pdf
    • http://kylestevenanderson.com/uploads/1/3/0/5/130551287/xufub.pdf
    • http://simplylavishskin.com/uploads/1/3/0/4/130435990/cbd0c.pdf
    • http://valcom.tv/uploads/1/3/0/7/130775756/239c57fd.pdf
    • http://moongsushi.online/uploads/1/3/0/3/130313411/4f6bf353.pdf
    • http://mido4design.com/uploads/1/3/0/2/130289694/24e53441.pdf
    • http://dearbestie.com/uploads/1/3/0/6/130639768/7699621.pdf
    • http://sagelandsmusic.com/uploads/1/3/0/7/130739567/1917cc7376.pdf
    • http://aandeapothecary.com/uploads/1/3/0/2/130270864/lugot-kanovobewawom-vepaxakura.pdf
    • http://e-performancetahiti.com/uploads/1/3/0/5/130548070/kufadeg_tozid_dozawisokenu.pdf
    • http://vectornator.org/uploads/1/3/0/3/130379635/7601978.pdf
    • http://localfrio.net/uploads/1/3/0/3/130313539/misiwijunuxopexesi.pdf
    • http://www.elrians.com/uploads/1/3/0/8/130874434/f3fc70c7541.pdf
    • http://psktravel.voyagerwebsites.com/uploads/1/3/0/3/130313156/130313156.html#carbon+adsorption+for+voc+control
    • http://moongsushi.online/upload
    • http://hcc.us.com/uploads/1/3/0/9/130969639/zivokipupirux.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003eff.bin
fdbd9ebebe17293fb1b36b9a21863c2a02d12f4d65042f06f322ce0e4bfe20c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EFF 7820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.