Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c8a8c0f634df03c…

MALICIOUS

PDF

30.8 KB Authoring application: PDFBox
MD5: 9523d57b88be2820e8af8eef83760b2f SHA-1: 65c7ac78528c66a9719f1b2d93bc260e3525bc79 SHA-256: 2c8a8c0f634df03cdc8b6c5c6a595837e86c3fc82650ca9670554e373466b69d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ophsclassof1999.com/uploads/1/3/0/2/130273983/8448410.pdf
    • http://mynutritioninnovation.com/uploads/1/3/0/5/130589198/libolojor_borilokuwev.pdf
    • http://myflexbrace.com/uploads/1/3/0/7/130738754/677573.pdf
    • http://revirg.com/uploads/1/3/0/7/130775197/vasofazewom-giwoladekag-bededidufa-toxelekoga.pdf
    • http://swept-supplies.com/uploads/1/3/0/5/130588700/d48a0.pdf
    • http://smarterdarter.com/uploads/1/3/0/5/130551433/pidep.pdf
    • http://healthpromotionproviders.org/uploads/1/3/0/4/130435652/b9853cd82b2.pdf
    • http://guardianslending.com/uploads/1/3/0/2/130270912/2bf613030.pdf
    • http://diradevelopments.com/uploads/1/3/0/6/130604191/979f7.pdf
    • http://redpenapp.net/uploads/1/3/0/7/130775472/tegakijepo-tumusijalose-nasuxegupagiza-visadasipapi.pdf
    • http://moonrisetours.com/uploads/1/3/0/7/130775506/5e3819468c.pdf
    • http://metzgersu.com/uploads/1/3/0/2/130272524/0370da0189ea6.pdf
    • http://mta-sts.mail.northamptonsings.org/uploads/1/3/0/5/130551505/973715.pdf
    • http://ministryiq.net/uploads/1/3/0/3/130323113/sigutoduwidizukadi.pdf
    • http://artfultemptress.com/uploads/1/3/0/5/130588210/damapegas.pdf
    • http://conversionpix.com/uploads/1/3/0/7/130739376/04c35a37bf95d.pdf
    • http://edumorethailand.com/uploads/1/3/0/6/130603918/pikufidofimodota.pdf
    • http://thereserveatgoldhills.com/uploads/1/3/0/5/130590656/6d20a6.pdf
    • http://washingtondealerships.com/uploads/1/3/0/5/130539554/tapaluvelodid_zobufezi_kolilirarujimul.pdf
    • http://natashachernookaya.com/uploads/1/3/0/3/130323151/2623208.pdf
    • http://thinkglobaly.com/uploads/1/3/0/5/130590203/4cbfc26179a60.pdf
    • http://www.thevillagemiami.com/uploads/1/3/0/5/130544147/bimerebinefapor.pdf
    • http://auscorruption.exposed/uploads/1/3/0/6/130621194/b42ac2bebb18e.pdf
    • http://nightowlsoulclubs.com/uploads/1/3/0/7/130740222/rukavozedetuwol-xadejepanipoxo-zidiludarukam.pdf
    • http://starrmark.net/uploads/1/3/0/9/130969021/130969021.html#rosemary%27s+theme+song+piano+sheet+music

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001962.bin
cabe61a20de11a14733ae1e7b590d0449e3f2de89f2981c94a6f33fe03e1c40a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1962 6020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.