Malicious PDF — malware analysis report

Static analysis result for SHA-256 39a13ee05d72333c…

MALICIOUS

PDF

58.6 KB Authoring application: Scribus
MD5: 8c66dfe64a2abb956f4ff6996afc4f54 SHA-1: d8dcc8de753249a295b5e82d1bc117d0b83d4c19 SHA-256: 39a13ee05d72333c2c5693bf02444089ab68f8ca3eae43f1002f5c58461c4142
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains an embedded JavaScript stream and a large number of external links, indicative of a link farm or phishing campaign. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary function appears to be directing users to a multitude of other PDF documents hosted across various domains.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tiffanyramsdell.com/uploads/1/3/0/3/130324370/jemokujedobet.pdf
    • http://nu9empire.com/uploads/1/3/0/5/130541837/3a7cc49.pdf
    • http://mrpsmathclass.com/uploads/1/3/0/5/130543569/ef404b5bcbe74.pdf
    • http://mrmcgintysmonarchs.com/uploads/1/3/0/2/130274281/c9e6f4278ca07.pdf
    • http://yoursitesugly.com/uploads/1/3/0/7/130739887/2241113.pdf
    • http://prepkitchenco.com/uploads/1/3/0/6/130639786/jugibebif.pdf
    • http://naturalmusicmarketing.net/uploads/1/3/0/3/130313718/5701675.pdf
    • http://majesticscotlandtours.com/uploads/1/3/0/6/130620803/fegemotuwinul.pdf
    • http://jandjservices.ch/uploads/1/3/0/6/130620522/5820047.pdf
    • http://deottoalberto.com/uploads/1/3/0/7/130776587/retipasaziro_fepaj_malavum_zafewibemu.pdf
    • http://thespeechteach.com/uploads/1/3/0/6/130639547/1385d4574d4.pdf
    • http://listingsbyrob.com/uploads/1/3/0/8/130814855/fozitepokutis-tuzuvovo-wukogawanunevo-lefimo.pdf
    • http://www.immobilier-val-de-marne-94.fr/uploads/1/3/0/5/130544090/e21a31fcd3dc0e.pdf
    • http://thendralgardens.com/uploads/1/3/0/6/130639583/sutir.pdf
    • http://ninaschjeide.net/uploads/1/3/0/3/130379115/2d9087533.pdf
    • http://quartzvanitydirect.com/uploads/1/3/0/5/130539913/8fbfa6d888.pdf
    • http://truedefensepdr.com/uploads/1/3/0/5/130550910/4298969.pdf
    • http://2psb9.slpny.com/uploads/1/3/0/6/130640053/130640053.html#os+lusiadas+canto+5+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f71.bin
01fe5a74948f2109dd7d36fb54261277187fec7cae54c4eea737b63da0fde321		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF71 10384 bytes
font_01_sfnt_off0000906c.bin
c2e591a77075210bc5d3b1defbbea45119573eaf9a6817425d2947c5679a5ec2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x906C 16420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.