Malicious PDF — malware analysis report

Static analysis result for SHA-256 36eb9b7a8c88591d…

MALICIOUS

PDF

37.2 KB Authoring application: Inkscape
MD5: 7b07a733b6e93415b6b57b570c309504 SHA-1: 7d87eb828174e6f72c6b2f042328939d5a640855 SHA-256: 36eb9b7a8c88591d4f8d954339c205480bb4c19828cb4befc03aa21687e64413
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm, likely used for SEO manipulation or to distribute phishing content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michellesellsidhomes.com/uploads/1/3/0/6/130640019/sijogur_notufeziriwoz_kuvoromorovop.pdf
    • http://drjennywang.com/uploads/1/3/0/7/130739544/2a23c8e52dd.pdf
    • http://rockhillpestpros.com/uploads/1/3/0/6/130640027/jibudulijeza.pdf
    • http://www.traderslippers.com/uploads/1/3/0/5/130551066/8906823.pdf
    • http://nuevalinea.es/uploads/1/3/0/7/130738684/92a1f36682d20ab.pdf
    • http://postmaster.led-ombouwset.nl/uploads/1/3/0/5/130589283/gejux.pdf
    • http://freedomtobike.com/uploads/1/3/0/2/130289645/feroru-joziva-dobevibelafik.pdf
    • http://isellthis.net/uploads/1/3/0/5/130590477/9067081.pdf
    • http://mrefael.design/uploads/1/3/0/6/130621267/299b95.pdf
    • http://cavecellars.com/uploads/1/3/0/3/130323817/buwakakuki-bazuvomiren-kusinabina.pdf
    • http://cohannakase.com/uploads/1/3/0/6/130639708/wozopewof.pdf
    • http://stmmlwr.org/uploads/1/3/0/6/130604779/8069439.pdf
    • http://thewinestopper.com/uploads/1/3/0/7/130738596/vunudad.pdf
    • http://pasturepride.com/uploads/1/3/0/4/130483416/19442c55be62c40.pdf
    • http://allthingsballet.com/uploads/1/3/0/6/130620423/5743dd.pdf
    • http://mitefnw.org/uploads/1/3/0/7/130776822/cad42bab8c959ee.pdf
    • http://timception.com/uploads/1/3/0/6/130603980/4027700.pdf
    • http://metamorphosize.me/uploads/1/3/0/6/130604286/0a45458.pdf
    • http://smallsuttons.com/uploads/1/3/0/5/130550812/korevu_ruzelo_gozufa_zuwamup.pdf
    • http://www.gretrodesign.se/uploads/1/3/0/7/130776088/jotalezabimigo_juwipesureta_tirozosugirer.pdf
    • http://yummiesticecream.com/uploads/1/3/0/7/130776408/xedivimuvaduxar_vewipagunamot.pdf
    • http://dr-ballouz.eu/uploads/1/3/0/2/130270913/lanosifozuzunukexebo.pdf
    • http://quinne.net/uploads/1/3/0/5/130589165/gebepufodibevo.pdf
    • http://www.mrdata.shop/uploads/1/3/0/8/130813141/50dc33044b583.pdf
    • http://sean--bre.rominastiebenphotography.com/uploads/1/3/0/4/130488983/130488983.html#symptoms+cervical+cancer+stage+3
    • http://www.gretrodesign

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e96.bin
e8d626279c957ec1c4913c24eebe1ae92af6b53f4f0ed195203023f80f5850ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E96 7672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.