Malicious PDF — malware analysis report

Static analysis result for SHA-256 39c40f295dee6a04…

MALICIOUS

PDF

70.0 KB Authoring application: Solid Converter PDF
MD5: 7e871f8dfc51a33524c02b909cf2d638 SHA-1: 11da29d27e4f21868311a97cf0159b91994d4d47 SHA-256: 39c40f295dee6a0469fd259f51a7b46aaec398755e88139774fd9b0af17ab9b4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a phishing or malware distribution campaign. The ClamAV detection further supports its malicious nature. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my-mediamatters.tech/uploads/1/3/0/5/130590739/xonavawikepuguxuv.pdf
    • http://daz.race-charter.ru/uploads/2020/01/29/dipaxeg.pdf
    • http://tomajep.japher.site/uploads/2020/01/29/8360d85b605.pdf
    • http://restoreand.com/uploads/1/3/0/2/130288514/7023697.pdf
    • http://arty-lab.com/uploads/1/3/0/5/130590224/korirafezelowij_kibofiwidab_pekalurevedim.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/6/130639972/130639972.html#ben+10+theme+song+in+english

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001327.bin
b1e37e5ac2b4c34e0fb2eaa76badf1957b46a27b8ac68d06937547f70a21a4d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1327 10248 bytes
font_01_sfnt_off000075b6.bin
e558bec40309ff73e825d230cfcd2ca3d36362cc91118506e5166e5d8e18e28f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75B6 12464 bytes
font_02_sfnt_off00008b0e.bin
dce1f6d5bd7c3c5c9e6a365e9d19a2fc023e0b0ae1db5cb6d8a9d5c06cfc5811		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B0E 2752 bytes
font_03_sfnt_off00009500.bin
28793b79dfe77811ca3de056c3c0438425898395c65d4afc7188b22c4c730846		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9500 8120 bytes
font_04_sfnt_off0000adbf.bin
b043b2afef09a0dbe6e073ee195a17bf065b21f0618812be8458d2991ed34cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADBF 8996 bytes
font_05_sfnt_off0000c00f.bin
c5afbfc3c7a026b0fd618c9837635137b4730873e4eb6eb9f90d5b5cc6955a37		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC00F 20032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.