Malicious PDF — malware analysis report

Static analysis result for SHA-256 35e534b8b57e0f40…

MALICIOUS

PDF

40.4 KB Authoring application: QPDF
MD5: 935a57a284277e425bbe841bb60811df SHA-1: b0a6655ddef328ee5a46185d87236f4a9ec823b0 SHA-256: 35e534b8b57e0f40d6d495c3683e931ce28e1075aff352db3638008ffb180c1a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicating a link farm designed to redirect users. The primary heuristic firing, PDF_SEO_LINK_FARM, confirms this behavior, with the dominant host being nannymoscow.com. The document body contains garbled text, suggesting it is not intended for direct user interaction but rather as a container for the malicious links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nannymoscow.com/uploads/1/3/0/6/130621093/gukerewo-wowupurelun.pdf
    • http://cass-travis-art.com/uploads/1/3/0/2/130271116/burid_guzopelorup_wowigolipexu.pdf
    • http://bucharestinthebeltway.com/uploads/1/3/0/3/130379398/6896568.pdf
    • http://morandoopress.com/uploads/1/3/0/5/130588885/79bf87.pdf
    • http://djtlmusic.com/uploads/1/3/0/5/130588202/dudawane.pdf
    • http://dekastanje.nl/uploads/1/3/0/6/130621754/xibezunilunodegowata.pdf
    • http://sidelkibezposrednikov.ru/uploads/1/3/0/5/130539004/putaza.pdf
    • http://jaxope.tmass.online/uploads/2020/01/28/sevasusudajuki-goliwow-xoveral.pdf
    • https://paludugagolekol.weebly.com/uploads/1/3/0/2/130288333/c53b85e.pdf
    • http://yamayogacollective.com/uploads/1/3/0/2/130291779/25691.pdf
    • http://dulazip.ntihomirova.com/uploads/2020/01/28/birapenidepujuw-gopepumimexatu-waranojerafaxab.pdf
    • http://scienceroom302.com/uploads/1/3/0/3/130323182/duvamigilaluwanaf.pdf
    • http://tehnews.ru/uploads/2020/01/28/xudeme.pdf
    • http://noclintonsnomore.com/uploads/1/3/0/6/130620380/kunexozugexipe.pdf
    • http://nissanpatrolparts.com/uploads/1/3/0/2/130271043/dogajalogoz.pdf
    • http://kellyscgash.com/uploads/1/3/0/5/130550782/6588506.pdf
    • http://reasonable-person.com/uploads/1/3/0/2/130289453/duvavu.pdf
    • http://rpn-permkrai.ru/uploads/2020/01/28/wezutikigo_disidubasoxutej_remafatokugut_xufilusi.pdf
    • http://m.spiritual-research-network.com/uploads/1/3/0/4/130488085/28c6aa442699761.pdf
    • http://myrole.legal/uploads/1/3/0/4/130488493/jikuwogomu.pdf
    • http://semavudiru.instrumentwire.club/uploads/2020/01/28/8125913.pdf
    • http://runiz.nikulin-ildar.ru/uploads/2020/01/29/zurumoxazemu.pdf
    • http://dpmnetworking.com/uploads/1/3/0/6/130639448/rekurubozerir-jisurufozov.pdf
    • http://keg.black-port.ru/uploads/2020/01/28/munemuga-wararume-jiganitiginar.pdf
    • http://bosselitehockey.com/uploads/1/3/0/3/130379367/130379367.html#estudio+de+metodos+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001778.bin
8bace971205866053e6c8e7acc7e9cc7722aee17b5b9a69c93f46923e80ff62a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1778 8992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.