Malicious PDF — malware analysis report

Static analysis result for SHA-256 39bafc240cab65a2…

MALICIOUS

PDF

43.0 KB Authoring application: SWFTools
MD5: 8a8b7938385e79be8aaa98eecef0063f SHA-1: 7385e9a809fe193e17f8979dedaeb41f8c044898 SHA-256: 39bafc240cab65a295acdf830d00de72dd4d8423c55b263186afc10fa0b134ff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, indicative of a link farm or SEO-based phishing campaign. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-driving intent. No scripts were extracted, and the document body contained mostly garbage data, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cordiaaladvies.nl/uploads/1/3/0/7/130738541/4729757.pdf
    • http://hostmaster.besidethesea.uk/uploads/1/3/0/5/130588213/6923435.pdf
    • http://truthu.org/uploads/1/3/0/8/130874076/62e0bbad.pdf
    • http://www.finepointwedding.com/uploads/1/3/0/5/130551390/1a9015b8a28.pdf
    • http://www.leaderwithpurpose.com/uploads/1/3/0/6/130603824/2567d608913.pdf
    • http://kauffmancenterstore.net/uploads/1/3/0/7/130775818/532b07b669b5.pdf
    • http://mgtavconference.com/uploads/1/3/0/2/130274267/vaxul-fitula-tosigofilirowe.pdf
    • http://mybabymemories.com.au/uploads/1/3/0/2/130273893/a5e7ab036.pdf
    • http://theacupunctureplace.net/uploads/1/3/0/7/130775531/2703450.pdf
    • http://theessendonhotel.com.au/uploads/1/3/0/3/130379237/gepako.pdf
    • http://luxairecares.net/uploads/1/3/0/7/130776801/lusemunikukuzo.pdf
    • http://www.tayloreportfolio.com/uploads/1/3/0/6/130621505/2841872.pdf
    • http://www.ecfrancoisdesales.com/uploads/1/3/0/8/130874426/7951006.pdf
    • http://estheticsbypaige.com/uploads/1/3/0/6/130604612/manefedebotixiso.pdf
    • http://myforeclosurelawyer.net/uploads/1/3/0/2/130271030/gowobeveruw.pdf
    • http://www.familychildrenscenter.com/uploads/1/3/0/5/130543019/betof-gogazigokizid.pdf
    • http://pyramation.com/uploads/1/3/0/2/130270866/1949534.pdf
    • http://mta-sts.mail.kristopix.com/uploads/1/3/0/6/130604031/wuzogidogogigatesede.pdf
    • http://www.brantak.com/uploads/1/3/0/7/130739103/felunenufajejofinug.pdf
    • http://www.rouseinsuranceandfinancial.com/uploads/1/3/0/4/130436130/1373523.pdf
    • http://healthyvillagesinc.org/uploads/1/3/0/9/130969003/nared_filovodubefapi_zabogava.pdf
    • http://freedom2flyda.com/uploads/1/3/0/7/130740363/vupamewajifep.pdf
    • http://www.listenlivehsv.com/uploads/1/3/0/8/130814644/ca31ab0ff226a.pdf
    • http://www.uptownsafarigallery.com/uploads/1/3/0/5/130551775/xeropuf.pdf
    • http://www.girilya.com/uploads/1/3/0/7/130776162/4809210.pdf
    • http://www.thecatefarm.com/uploads/1/3/0/7/130739194/130739194.html#megaloblastic+anemia+meaning+in+hindi

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000454f.bin
0bc8a381aacee78c550ced6d6e4d710ad47fc649c404e4c17c759acdf9c5f9e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x454F 7408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.