Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fe17ee5d6184ae4…

MALICIOUS

PDF

57.3 KB Authoring application: Soda PDF
MD5: 6db4c70847201f664bc6d8a0c1560fed SHA-1: 9a174eab67b3f3345fc3423af737746b755194e1 SHA-256: 2fe17ee5d6184ae436176e0dda2c84a3b70c353192188a5856cfb5614394cc20
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents. This is indicative of a link farm or a phishing campaign designed to direct users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fucking-anonymous.com/uploads/1/3/0/4/130435654/a75fb177a.pdf
    • http://necoraindustries.com/uploads/1/3/0/6/130639325/memusoxusuju.pdf
    • http://withlovec.blog/uploads/1/3/0/4/130476747/4150028.pdf
    • http://toobusymomsbooks.com/uploads/1/3/0/3/130323291/43cdddf5794.pdf
    • http://groundtruthsalessystem.com/uploads/1/3/0/4/130488476/4536ecf8b98.pdf
    • http://morganhomesliving.com/uploads/1/3/0/2/130271113/9557839.pdf
    • http://naturalsound.com.pl/uploads/1/3/0/5/130542937/kimazimep.pdf
    • http://techconnectwest.net/uploads/1/3/0/6/130620618/46a0e01398.pdf
    • http://ashleyleoncini.com/uploads/1/3/0/8/130874666/wumud.pdf
    • http://silverbulletgunworks.com/uploads/1/3/0/5/130551374/waxexatajup_rupoj_wibopijuz_votovivef.pdf
    • http://oddamericancompany.com/uploads/1/3/0/3/130323290/f64ce94a94.pdf
    • http://townhousemarketing.com/uploads/1/3/0/2/130274258/5263594.pdf
    • http://mbyj.net/uploads/1/3/0/4/130435893/pumazagoxiso.pdf
    • http://carmelorganizer.com/uploads/1/3/0/6/130639719/7a240a9b.pdf
    • http://atlasthemighty.com/uploads/1/3/0/7/130775635/fetafanetexijum-midonakamu.pdf
    • http://mail.davidsfondslandegem.net/uploads/1/3/0/3/130379291/3415252.pdf
    • http://www.humanbridge.cc/uploads/1/3/0/5/130550951/831c6c5dfd40.pdf
    • http://webdisk.harvestclevelandne.org/uploads/1/3/0/6/130639892/2c1f6a8d.pdf
    • http://sanprado.net/uploads/1/3/0/8/130813645/130813645.html#lord+ayyappa+songs+free+download+in+telugu

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041ac.bin
bb65e153df78154bfd14470754e87ba03df7715f8d52849d071c5334056f3476		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41AC 16096 bytes
font_01_sfnt_off00005622.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5622 2652 bytes
font_02_sfnt_off00005f86.bin
78d2a5325dbfb2608e253d9cac1fb1bb0ea50abd2d6285499f3de6cad1f4cc14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F86 10588 bytes
font_03_sfnt_off00007ef0.bin
a573a1b9f31e29434452c0af40a7e23c8d2c19ba20c6c7f036d5cd0ea1f8f398		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EF0 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.