Malicious PDF — malware analysis report

Static analysis result for SHA-256 39d4f254ee8fa81d…

MALICIOUS

PDF

49.8 KB Authoring application: ImageMagick
MD5: eab55d56698be391d74280dcb9bbc8af SHA-1: a4e0cf09b40f05b23eccc594d5cf371e296d4828 SHA-256: 39d4f254ee8fa81d0a7b0c8e06d7c6b5c4a5e729493ce4c2a765e151b45ba21d
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified as a PDF_SEO_LINK_FARM heuristic. This suggests a phishing or malware distribution attempt, aiming to direct users to a multitude of other PDF documents. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious classification. The document body text, though heavily corrupted, contains phrases related to 'download' and 'ebooks', aligning with a lure to download malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://futetekixokep.weebly.com/uploads/1/3/0/3/130323789/fivilekapudoxon.pdf
    • http://mewaxe.minzdravua.club/uploads/2020/01/28/c62e76f.pdf
    • http://zake.reserve-money.top/uploads/2020/01/27/vagitufod-zonomow-dumogime-wenabisugilur.pdf
    • https://nusukigulol.weebly.com/uploads/1/3/0/5/130539497/8c3f69aa.pdf
    • http://cynthiastoneart.com/uploads/1/3/0/5/130551611/sagepezig.pdf
    • https://pabosibege.weebly.com/uploads/1/3/0/6/130605347/2416602.pdf
    • http://boxwoodinteriorstyling.com/uploads/1/3/0/2/130270946/ff2d60269.pdf
    • http://koz.krweb.tech/uploads/2020/01/27/domovuzad.pdf
    • http://nidamesuw.manipulyator116.ru/uploads/2020/01/29/ff5c4c1a1755c.pdf
    • http://dpmodel.ru/uploads/2020/01/27/8576989.pdf
    • https://tetomotuzi.weebly.com/uploads/1/3/0/4/130476429/5fef68fe1.pdf
    • http://quran-media.online/uploads/2020/01/27/fezatapopeg.pdf
    • http://rakap.myaccount-solution.net/uploads/2020/01/28/2088361.pdf
    • http://service-ptauthentication.com/uploads/2020/01/28/zasejewuwutos.pdf
    • http://zabor.litecoin-red.com/uploads/2020/01/27/bijukatuzedemujo.pdf
    • http://negi.mega-blog7.ru/uploads/2020/01/28/deseduw.pdf
    • http://buygame.xyz/uploads/2020/01/28/robirijaj.pdf
    • http://fegukoboge.tuhan-shop.com/uploads/2020/01/28/bbb1f45f500.pdf
    • http://tebus.kewa.fun/uploads/2020/01/28/zefidud_jibikabiriloz_vobisu.pdf
    • http://bejibu.dataerudite.com/uploads/2020/01/28/3855130.pdf
    • https://renanirorowedaf.weebly.com/uploads/1/3/0/2/130272481/tibotolumozalin-roxatafekijewa.pdf
    • http://kendrakd.com/uploads/1/3/0/5/130540017/riwekajadunajimoz.pdf
    • http://jukez.li11.icu/uploads/2020/01/28/b4474db6f.pdf
    • https://lozupuzelape.weebly.com/uploads/1/3/0/6/130604488/tabawenukejakajes.pdf
    • http://wak.meso-wharton199.ru/uploads/2020/01/29/nufexiz-veregevete-pewetukifam-mafesesixazuwa.pdf
    • http://nhsofdav.com/uploads/1/3/0/3/130379363/130379363.html#ace+banking+and+static+awareness+book+by+adda247+publications+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001837.bin
7158d9df19fbe22d13c9a359265130b8694d58501c4cc429cfc590432a55f572		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1837 8648 bytes
font_01_sfnt_off00006e31.bin
c84e7651f9583b5576807eb1ede237b78d3c2ab3ee99575d36e9b1e25557033c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E31 4884 bytes
font_02_sfnt_off00007b28.bin
4ccbb0b46756bdc9361e07c159654966e92d337ff76cdfdd1ca458e2087c5282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B28 16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.