Malicious PDF — malware analysis report

Static analysis result for SHA-256 31c612c738c32cfc…

MALICIOUS

PDF

36.5 KB Authoring application: Inkscape
MD5: 93f11dc4df8020389e384f69cbc26ea5 SHA-1: 22693ce5553ebd0709b3201f69d3a228fa45262b SHA-256: 31c612c738c32cfcfde1c5c2aa7c4cd2c4abcb143e10959639422c2ed09b27c9
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified as a PDF_SEO_LINK_FARM heuristic, suggesting a phishing or SEO spam campaign. The presence of a visual download button further supports the lure. ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 confirms the malicious nature. The document body contains multiple URLs, which are likely part of the link farm and intended to redirect users to malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prostoy-recept.ru/uploads/2020/01/27/aad7c5d0b50be4.pdf
    • http://wurup.smm-pr.com/uploads/2020/01/28/masem-sazerede-wujarigolo-jewofaxux.pdf
    • http://lioele.ru/uploads/2020/01/27/muwuvafudur.pdf
    • http://nipus.antivirussguardservice.xyz/uploads/2020/01/27/linerawi.pdf
    • http://restoran-yugoslavia.ru/uploads/2020/01/27/gizuvaperujugabo.pdf
    • http://thecut.studio/uploads/1/3/0/2/130288514/ce89f2d7aaa6b9e.pdf
    • http://warren.capetown/uploads/1/3/0/4/130476237/maxuxiv.pdf
    • http://busadi.info/uploads/2020/01/27/fasipe_bokujis.pdf
    • https://lanutadagere.weebly.com/uploads/1/3/0/5/130550797/zukisigaxip_numetotimo.pdf
    • http://rssailing.org.au/uploads/1/3/0/4/130478360/galeduganat.pdf
    • http://six.wpchoice.net/uploads/2020/01/28/zaputemamom.pdf
    • http://navierabahiasub.weebly.com/uploads/1/3/0/6/130639976/7913451.pdf
    • http://mwri.co/uploads/1/3/0/6/130604349/1894739.pdf
    • http://canon-services.com/uploads/1/3/0/2/130287837/faribozibafina_sejelosabapeno.pdf
    • http://buswell.ca/uploads/1/3/0/6/130621700/dedezu.pdf
    • http://nullaginecrc.net/uploads/1/3/0/5/130551140/2a22f2.pdf
    • https://zafipaferem.weebly.com/uploads/1/3/0/2/130289233/5126003.pdf
    • http://obituar.org/uploads/1/3/0/5/130589310/lubugilajavoz.pdf
    • http://kghypnobirthingsouth.com/uploads/1/3/0/5/130545194/8121534.pdf
    • http://jasonbarun.com/uploads/2020/01/28/7ca137994167.pdf
    • http://warwickcarriagedriving.com/uploads/1/3/0/5/130545001/130545001.html#beginning+by+joeboy+lyrics

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001560.bin
f41007f8a02ebb880a5d9e9423df7a7e34fa5b1a159aab8e7b97bdf715904f8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1560 7792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.