Malicious PDF — malware analysis report

Static analysis result for SHA-256 398c458f7e28c522…

MALICIOUS

PDF

37.3 KB Authoring application: Scribus
MD5: 9488eaa666b30559a0fabe36c8d27591 SHA-1: 206a6007f7a2eccbc85894eafefc6561195b72a1 SHA-256: 398c458f7e28c522de358e0775ee466b8507f374878869b8b0c12e7a96c01fec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample, limiting the analysis of specific execution behaviors.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jilliananderic.com/uploads/1/3/0/7/130776481/b1cb8da004d81.pdf
    • http://newdawnrising.org/uploads/1/3/0/2/130274376/c960ebe29ab.pdf
    • http://horsdoeuvresf.com/uploads/1/3/0/5/130589279/lataxitefemob-kiduviladepo-jakuzeboj-farumujaratu.pdf
    • http://fourfin.com/uploads/1/3/0/7/130776490/gililu_soretob.pdf
    • http://beachhousedestin.net/uploads/1/3/0/7/130775049/nadux_tunigu_kurorax.pdf
    • http://wildfantasycat.com/uploads/1/3/0/6/130622075/ec8fb7f7.pdf
    • http://fretbuzz.net/uploads/1/3/0/7/130774962/rulaveledelano.pdf
    • http://seattlebarterexchange.com/uploads/1/3/0/8/130814830/dipoja-nesupowosax-fawisesok-telal.pdf
    • http://mywoodshop.co/uploads/1/3/0/6/130620951/9107727.pdf
    • http://capitolhillclubmembers.com/uploads/1/3/0/5/130545816/1721922.pdf
    • http://bienchulitos.com/uploads/1/3/0/2/130271031/xojozugus_biwizisetozej.pdf
    • http://paquetteengineering.com/uploads/1/3/0/3/130323962/11f22.pdf
    • http://charismasifferman.com/uploads/1/3/0/6/130639863/suluxejiremaser.pdf
    • http://cccpstore.com/uploads/1/3/0/6/130605302/sonekara.pdf
    • http://hometownpartsandequipment.com/uploads/1/3/0/7/130776393/46d4c45c31.pdf
    • http://mysimplyblingfor5.com/uploads/1/3/0/7/130776315/4bbbe.pdf
    • http://trustedfinancialpro.com/uploads/1/3/0/6/130621030/bbe78cd6a.pdf
    • http://blacktreelofts.com/uploads/1/3/0/5/130543476/130543476.html#free+indesign+training+manual+template
    • http://hometownpartsandequ

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033bd.bin
bb4ba82eec0982963f8b08b4af670c78e45b349669ec64a881abcf3358f5bc57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33BD 8476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.