Malicious PDF — malware analysis report

Static analysis result for SHA-256 2931272c9fe11823…

MALICIOUS

PDF

37.6 KB Authoring application: pstoedit
MD5: 2551c1f0fcae4d9812d06e655b0f3101 SHA-1: 3f3376a4d5c199cf9ea78ced7e40b294af575e50 SHA-256: 2931272c9fe11823cb3cfc8a36bfdb934955feab6445fcdf1775d63b9659b8ef
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.003 Windows Command Shell

The PDF contains a large number of external links, identified as a link farm, directing users to various websites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest a phishing or malware distribution intent. The presence of a 'LOLBin_RUN_COMMAND' heuristic indicates potential execution of malicious commands, although no specific script was extracted to detail this further. The document body, though heavily obfuscated, contains text related to 'Ielts speaking samples', used as a lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ballyloobyns.weebly.com/uploads/1/3/0/2/130272903/2245759.pdf
    • http://spccmd.com/uploads/1/3/0/2/130274088/bimituvidofef.pdf
    • http://flatlandultrarunner.com/uploads/1/3/0/6/130604910/1698983.pdf
    • http://dirtylittleclaws.com/uploads/1/3/0/5/130546971/tugezipuzeti.pdf
    • http://nobuhotelriyadh-fullsite.devsite-1.com/uploads/1/3/0/4/130483656/130483656.html#ielts+speaking+samples+with+questions+and+answers+collected+and+edited+by+david

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a7.bin
62b4e74f5e0bfde578fa49a34bded5b4d4bd67272d815408c3f90108dbc9774e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A7 8928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.