Malicious PDF — malware analysis report

Static analysis result for SHA-256 3243c14919814b9e…

MALICIOUS

PDF

39.7 KB Authoring application: PDF Studio
MD5: 4d02edd69de2f2452020d32444cf3ac4 SHA-1: 5748e4f17b4d65a034acfa3ff48a0beb8479a775 SHA-256: 3243c14919814b9e91f41697aa0ee6a62f1f0a84ff66f14abe37a01c6be58fdf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document is detected as malicious by ClamAV and exhibits characteristics of a link farm, containing numerous embedded URLs. The document body suggests a lure related to ASVAB study guides, aiming to trick users into clicking the embedded links which likely lead to further malicious content. The heuristic PDF_SEO_LINK_FARM indicates a large number of external PDF links, suggesting a distribution mechanism for malware or phishing content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nxlevelgolf.com/uploads/1/3/0/5/130541133/rewapuwe.pdf
    • http://dracoshairco.com/uploads/1/3/0/2/130272979/tabinaro-jobipewasawunos.pdf
    • http://lifelitupphotos.com/uploads/1/3/0/2/130270951/3957769.pdf
    • http://k-co.shop/uploads/1/3/0/5/130540296/fdf2f26.pdf
    • http://jos.flabgu.com/uploads/2020/01/27/tebaponipomelu.pdf
    • http://mylaraonline.com/uploads/1/3/0/4/130483748/gegepor.pdf
    • http://nixufolu.kvipa.ru/uploads/2020/01/27/e085664e2c654.pdf
    • http://californiahydrogenwater.com/uploads/1/3/0/6/130639747/vozuweforaleja.pdf
    • http://wireddirection.weebly.com/uploads/1/3/0/5/130547215/1481669.pdf
    • http://gup.detali.trade/uploads/2020/01/29/95d02.pdf
    • http://ariseleadershipcollege.org/uploads/1/3/0/3/130313111/2286005.pdf
    • http://nosborne.com/uploads/1/3/0/5/130551282/lizavirutifon.pdf
    • http://zogidota.nickel-logine.com/uploads/2020/01/29/94f0a9419288.pdf
    • http://dancefitdanceacademy.com.au/uploads/1/3/0/3/130379314/4880137.pdf
    • http://videseru.kavkaz-car.ru/uploads/2020/01/29/guwuv-kofix.pdf
    • http://sakalepo.myieltscertificate.com/uploads/2020/01/29/6a547dd.pdf
    • http://arbofor.fi/uploads/1/3/0/5/130588659/8831787.pdf
    • http://jug.binancedex-giveaway.com/uploads/2020/01/28/vatefivebupanejit.pdf
    • http://firstsourceveterans.com/uploads/1/3/0/6/130639960/4a60eab09.pdf
    • http://pobugoxoj.mnekak.pro/uploads/2020/01/28/vofuvirogapaxe.pdf
    • http://pitterpatterdogcare.com/uploads/1/3/0/2/130270799/vigitosiboriwak.pdf
    • https://pelimarefe.weebly.com/uploads/1/3/0/5/130551132/7f46033eda15af3.pdf
    • https://kufakowawaxug.weebly.com/uploads/1/3/0/5/130544072/9233379.pdf
    • http://study-spanish-educator.com/uploads/1/3/0/5/130590678/3a6dd.pdf
    • http://tensleepseniorcenter.com/uploads/1/3/0/5/130588635/18f7fa1.pdf
    • http://milothaimassage.com/uploads/1/3/0/3/130324386/130324386.html#asvab+online+study+guide+2018

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016f7.bin
d2e6045845b5d8fec58e6a84ca4cb4ba692ff4c12e952f9679a8c9152e5eb87a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F7 7740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.