Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d21ae2af68f66b9…

MALICIOUS

PDF

45.9 KB Authoring application: ImageMagick
MD5: 49185aa319e4832d846a7802b85eeeca SHA-1: f0007f3d35a5ab1a6cbe765613bb56827a769554 SHA-256: 2d21ae2af68f66b9aff264f5ef015d2481595866c6d8e7436990dec1081e5c4e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique commonly used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted from this sample, and the document body was heavily obfuscated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chattanoogacrawlspaceencapsulations.com/uploads/1/3/0/2/130270746/7195377.pdf
    • http://lyonchambers.com/uploads/1/3/0/6/130620372/4685773.pdf
    • http://calasanzpbavaro.edu.do/uploads/1/3/0/7/130776082/nudopudozuwada.pdf
    • http://suitsforteens.org/uploads/1/3/0/2/130289319/369845d341910db.pdf
    • http://ddeusa.com/uploads/1/3/0/6/130604557/1537388.pdf
    • http://mysistershouseonline.org/uploads/1/3/0/4/130483912/7812031.pdf
    • http://4dverse.com/uploads/1/3/0/7/130739393/kirajirugakefe.pdf
    • http://d-team.info/uploads/1/3/0/6/130604871/jegujilofu.pdf
    • http://theloveboxcompanyonline.com/uploads/1/3/0/3/130313590/gonivepito.pdf
    • http://prescottrealestatereferrals.com/uploads/1/3/0/2/130289375/dusotil_vetilimepowavoz.pdf
    • http://theboutiquehilo.com/uploads/1/3/0/2/130272575/popedimemofif.pdf
    • http://iterodentallab.com/uploads/1/3/0/3/130313588/detipur.pdf
    • http://qor.kz/uploads/1/3/0/6/130620604/xabiwaxeliva_wogulokoxe.pdf
    • http://localator.net/uploads/1/3/0/6/130604902/lazunerigevu.pdf
    • http://irieint.com/uploads/1/3/0/7/130739459/130739459.html#acetic+acid+isopropyl+alcohol+reaction

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ab0.bin
7b682c71b2463e8a0752f1a89d63b7b10ea94982ab4c27746d25180a9fa4d60b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AB0 9096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.