PDF malware analysis — malicious · 2e2a9303d00dbc9f

MALICIOUS

PDF

56.9 KB Authoring application: PDF Studio

MD5: 5f34d8e3646efd97507f39cc2e990343 SHA-1: db106aff1307a954e8eec952990459516d366464 SHA-256: 2e2a9303d00dbc9f11cba024a36325001cfad45646a479b98082a7ac92b9a9ca

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, with a heuristic firing indicating a mass of external PDF links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. The embedded URLs are likely used to redirect users to phishing sites or download further malicious content. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jungandsisco.com/uploads/1/3/0/2/130272435/wibobeweganepi.pdf
- http://laura-cunningham.weebly.com/uploads/1/3/0/4/130435909/vamutufulogesanose.pdf
- http://monarchrev.com/uploads/1/3/0/2/130288565/xebejire.pdf
- http://cheriward.com/uploads/1/3/0/5/130543598/mulunipakegilimun.pdf
- http://battlebuilding.com/uploads/1/3/0/5/130588334/zukinarafumev_masibo_tunujuxefa_nifogubujemiwes.pdf
- http://anatsasiabeverlyhills.com/uploads/1/3/0/5/130551704/fepasalagikak.pdf
- http://pirape.moldovenii.london/uploads/2020/01/28/9560732.pdf
- http://kamik.htgarden.ru/uploads/2020/01/28/6142524.pdf
- http://duboda.btccn.pw/uploads/2020/01/28/7292427.pdf
- http://0406shopps06.fun/uploads/2020/01/27/wenin.pdf
- http://rissmusicschool.com/uploads/1/3/0/5/130590224/bipagokedisi-karabirixijake-suvesukupun-voxanor.pdf
- http://nowandzenpet.com/uploads/1/3/0/6/130604617/7f09ac15e1.pdf
- https://gasemugofitip.weebly.com/uploads/1/3/0/3/130379213/1353380.pdf
- http://solebait.com/uploads/1/3/0/5/130539841/ddefb0b4589a4c.pdf
- http://mynutritioninnovation.com/uploads/1/3/0/4/130483302/ximunapuruxa.pdf
- http://minniecandiepies.com/uploads/1/3/0/5/130590577/duwuparimov.pdf
- http://kpcdesign.org/uploads/1/3/0/6/130639747/dexubutabazule.pdf
- http://teg.sumeza.ru/uploads/2020/01/28/3594412.pdf
- http://aurorahardwoodwest.com/uploads/1/3/0/5/130589102/57a778ddbaf10.pdf
- http://thewarriorsoftruth.com/uploads/1/3/0/6/130620380/333a6b04fae07.pdf
- http://rmckendreeb.com/uploads/1/3/0/4/130436337/8036018.pdf
- http://jenedotip.forexpro-au.club/uploads/2020/01/28/vopopom.pdf
- https://tomobotefagat.weebly.com/uploads/1/3/0/5/130539155/lejevafemumedu.pdf
- http://asenamott.com/uploads/1/3/0/6/130604488/wetubewufuro_vaxiborimiroxo.pdf
- https://gufususetawopo.weebly.com/uploads/1/3/0/2/130270938/nimutizasafavel_femulu.pdf
- http://davidmarquesibanez.com/uploads/1/3/0/3/130313242/130313242.html#methanol+proton+nmr
- http://jenedotip.forexpro-au.club/u

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001319.bin` `5096c0a94a82f54e451375c61e238ebcdae0402021d8f754f502d4ff2e036298`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1319	9100 bytes
`font_01_sfnt_off0000a087.bin` `52664e61409d67f287ed0b6b8e8ebc636191b675ac2a73c20a9806c344ff7bda`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA087	3468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.