Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ec688e296f777ce…

MALICIOUS

PDF

41.1 KB Authoring application: PDFBox
MD5: 88a8a304b12c0fa5d97ffcde035f87ed SHA-1: e89531f1619e64b748d3629c587a52b64532d2d0 SHA-256: 2ec688e296f777ce2c1fca2f439b494b7539858590da114fac3412567ad0d1d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or traffic redirection intent. The document body contains text related to music and downloads, which likely serves as a lure to encourage users to interact with the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ncfash.com/uploads/1/3/0/2/130288540/vomisamamowel.pdf
    • http://rrhsartclub.com/uploads/1/3/0/6/130620808/ff1bfa.pdf
    • http://artinicontest.com/uploads/1/3/0/2/130289601/tanix-gimekazusoranu.pdf
    • http://warwickcarriagedriving.com/uploads/1/3/0/6/130605452/5719375.pdf
    • http://naturesworks.net/uploads/1/3/0/5/130550836/7601407.pdf
    • http://chrisusey.com/uploads/1/3/0/3/130379409/zinizoxuxipa_tulewusebukuv_zigadojoda.pdf
    • http://ronyah-arts.com/uploads/1/3/0/5/130589070/4374299.pdf
    • http://morningtonpeninsulacaravanstorage.com/uploads/1/3/0/3/130323146/nogirajuxo.pdf
    • http://michaelshusko.com/uploads/1/3/0/2/130291352/130291352.html#bongo+bongo+dj+song

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011d6.bin
4539a3a4eacf7497bdec926ddf3b31595bd3faf087a2d0594e3b642d9c81129b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D6 8456 bytes
font_01_sfnt_off0000657c.bin
362efc88ee3e386859df28ac84511f1a9117469b97f067cf82e04b47197d905a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x657C 2024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.