Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ada898cd5272be4…

MALICIOUS

PDF

42.4 KB Authoring application: Mobipocket Creator
MD5: 4393d76b82481fcfc695e22767a1a129 SHA-1: 92cd43cb2fab17659033e0dc5be17bd1c0c07151 SHA-256: 2ada898cd5272be4262b8ad83c092c96bb1f02335aa81c310971a881ad35a47e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body itself contains some of these URLs, reinforcing the link farm attack pattern.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bcdcosmetics.com/uploads/1/3/0/3/130323124/45062e735794d.pdf
    • http://thepaintingpig.com/uploads/1/3/0/8/130874610/fiwosovamipibezake.pdf
    • http://www.dbi-education.com/uploads/1/3/0/6/130603773/2714547.pdf
    • http://advancedhydrocleaning.com/uploads/1/3/0/9/130969653/5279802.pdf
    • http://hurricanebusinessclaimspr.com/uploads/1/3/0/4/130483552/a67d14c6f999897.pdf
    • http://naturalwellnessacupuncture.com/uploads/1/3/0/5/130543285/4dc08915bdb698d.pdf
    • http://mymassagedude.com/uploads/1/3/0/2/130270855/nuvoguzat_xuxafukirulu_befisa.pdf
    • http://adulosangeles.com/uploads/1/3/0/2/130287875/pogezizek.pdf
    • http://parttimesongs.com/uploads/1/3/0/2/130289772/81644498b9c138.pdf
    • http://wabashtees.com/uploads/1/3/0/4/130435751/8228873.pdf
    • http://nnoutt.com/uploads/1/3/0/7/130775958/ca0b16dd.pdf
    • http://tw-tech.net/uploads/1/3/0/4/130483650/6515926.pdf
    • http://projectindigo.co/uploads/1/3/0/4/130479435/560335d1fc.pdf
    • http://oakcreekcenter.org/uploads/1/3/0/3/130313595/liledogan.pdf
    • http://www.patricedworkinart.com/uploads/1/3/0/7/130776433/4601407.pdf
    • http://artbyvivi.com/uploads/1/3/0/4/130483210/2403249.pdf
    • http://wayouttanoway.org/uploads/1/3/0/7/130775478/kovezi_zaliguxofej_vuviremonegojum.pdf
    • http://fsbclawrence.com/uploads/1/3/0/8/130874639/pumazoruputoko-lipineripi.pdf
    • http://hostmaster.rebeccakellyonline.com/uploads/1/3/0/5/130551086/dodabunafikapige.pdf
    • http://www.mysafetygown.com/uploads/1/3/0/5/130540472/tofakisajuzidu-wewujoxuk-kikakezinen-tuzodojukiriga.pdf
    • http://mourntolight.com/uploads/1/3/0/6/130605475/e1ac6979.pdf
    • http://host25.carmichaelnl.com/uploads/1/3/0/5/130547486/130547486.html#dragon+magazine+france+pdf
    • http://fsbclawrence.com/uploads/1/3/0/8/130874639/pumazoruputoko-lipiner

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001098.bin
8455d96c93c49a154f77d76d649c6dbb608b48835b589fb8b8b061a91ce453a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1098 7472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.