Malicious PDF — malware analysis report

Static analysis result for SHA-256 279c0726143ac1d2…

MALICIOUS

PDF

45.0 KB Authoring application: pdf-parser
MD5: 6272b86c765f7672eba9b35a7a515bf1 SHA-1: b0a48a94e20279526d092d79dc9fef6447f48b5c SHA-256: 279c0726143ac1d2f0926eaf800481179cfcacabafb5a56c623dc6113d8b76b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://paulakeogh.net/uploads/1/3/0/6/130604715/juputebupa.pdf
    • http://summercampdiary.com/uploads/1/3/0/5/130539265/3339527.pdf
    • http://sugarlandpremierroofing.com/uploads/1/3/0/5/130550667/646ebf.pdf
    • http://quaternityoga.com/uploads/1/3/0/6/130604210/13e55d3fbe8d0ee.pdf
    • http://hotel-tentrem.net/uploads/1/3/0/6/130620443/1385898.pdf
    • http://konect2us.com/uploads/1/3/0/5/130590509/noboretuwigar-sesusek-marogo.pdf
    • http://pintanbastos.net/uploads/1/3/0/7/130740627/zanigiwosena.pdf
    • http://gregwcraft.com/uploads/1/3/0/2/130287842/tirobak.pdf
    • http://kiemtratenmien.net/uploads/1/3/0/6/130604465/01590679ad.pdf
    • http://surgicalwebcasting.com/uploads/1/3/0/5/130541765/jusibu-mobijumajede-giferafaputol.pdf
    • http://veronicasbridalshop.com/uploads/1/3/0/2/130272101/7181722.pdf
    • http://mysprout.shop/uploads/1/3/0/7/130738996/girom-forofaxuguj-folikosotar-pobunirod.pdf
    • http://orcinushop.com/uploads/1/3/0/8/130874473/demidirux-jisumasopu-luxirene.pdf
    • http://petsbeforepeople.com/uploads/1/3/0/7/130776385/pitiramikaf.pdf
    • http://northjerseydirectmail.com/uploads/1/3/0/6/130604956/wopanezezozimed.pdf
    • http://cyberbullyupstander.com/uploads/1/3/0/7/130776439/84ed5db2fa40.pdf
    • http://straitcycles.us/uploads/1/3/0/6/130620974/kapejoxosibeforim.pdf
    • http://restoreactive.ca/uploads/1/3/0/6/130605443/d45c9d7710aa.pdf
    • http://host90.carmichaelnl.com/uploads/1/3/0/6/130621771/130621771.html#second+law+of+thermodynamics+problems+and+solutions+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000301b.bin
613ee93c29569eb00b93764606f1fa5fed750c78578cd984b258cb10d738d673		 pdf-font-stream PDF embedded font (sfnt) at offset 0x301B 16076 bytes
font_01_sfnt_off0000449a.bin
cbef2c21d4c5c0fe600d2afc71cac40614b347c3c4895a55c669f92fced8d07a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x449A 3212 bytes
font_02_sfnt_off00005239.bin
90fe8087280bdac5804057a665a360d819a73c1231a142d79661cccd71fa4887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5239 7864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.