Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a0356a649aec0cf…

MALICIOUS

PDF

46.7 KB Authoring application: Poppler-utils
MD5: 5135c7f86b0a9373c69290cb47e04721 SHA-1: 4708b59937e1eb21a711b7269b5fba8dfbbe90e3 SHA-256: 3a0356a649aec0cf818e8fb6d09e54801ef88145572eb351de338bf3b7ef271d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents. The heuristic 'PDF_SEO_LINK_FARM' indicates this is a link farm, and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic-driving intent. The embedded URLs are the primary indicators of malicious activity, likely used to redirect users to malicious content or phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bix.handorinservice.ru/uploads/2020/01/28/kavedil.pdf
    • http://keb.kamafishing.ru/uploads/2020/01/28/zokedukoruxamodurilo.pdf
    • http://gajejad.tykoler.store/uploads/2020/01/27/cc3fd2e.pdf
    • http://jixoxujuz.spec-techavto.ru/uploads/2020/01/28/nedazekefifiz.pdf
    • http://kuhni-msc11.icu/uploads/2020/01/28/de2ca73f9.pdf
    • http://themaacfitness.com/uploads/1/3/0/2/130289721/74afddcb547.pdf
    • https://zuzesazubaj.weebly.com/uploads/1/3/0/5/130551096/dilawewujuzegox.pdf
    • http://autourist24.com/uploads/2020/01/29/3258316.pdf
    • http://journeyyoga.ca/uploads/1/3/0/6/130603772/2685332.pdf
    • https://mowifiwa.weebly.com/uploads/1/3/0/4/130436085/sevamugakav-duvugoduvu-zobojulivumori-wovab.pdf
    • http://lip.tipmoscow.ru/uploads/2020/01/29/ec79632.pdf
    • http://greecestyle.ru/uploads/2020/01/27/xijudixudarorom_gajaboseben.pdf
    • http://xegaxuzinu.tkantares.ru/uploads/2020/01/28/578478.pdf
    • http://theclaytonconnection.com/uploads/1/3/0/5/130588721/garajupo.pdf
    • http://vivinewi.sparepartsjumberca.com/uploads/2020/01/27/juxivefigapej.pdf
    • http://wubaneruze.0406shopps02.fun/uploads/2020/01/28/junefurenezu.pdf
    • http://wukepu.detskepovidky.com/uploads/2020/01/28/9473701.pdf
    • http://centralcarolinagsdclub.com/uploads/1/3/0/4/130435556/xosudenojidedejuweg.pdf
    • https://muwajalejes.weebly.com/uploads/1/3/0/3/130313265/513b44cb93.pdf
    • http://breesbag.com/uploads/1/3/0/3/130379457/1eca3c1ce0.pdf
    • http://scupstateparalegals.org/uploads/1/3/0/4/130436049/wugur.pdf
    • http://nemuwalax.agicole-acces.com/uploads/2020/01/27/kixetux_fetubusabizolu.pdf
    • http://welizubadi.hospitalnaluri.com/uploads/2020/01/27/berigod.pdf
    • http://thisweeksbestdeals.com/uploads/1/3/0/6/130620902/zopesiwejemizeg-tiwapowi.pdf
    • http://salati.bbjgamestore.com/uploads/2020/01/28/badefivexilufi.pdf
    • http://specblend.com/uploads/1/3/0/2/130270813/130270813.html#you%27+re+the+reason+piano+sheet+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001940.bin
7c3cd1c8b132e1b45405b1439921b6b95b389acf8dd0f7d048a306539c921617		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1940 9676 bytes
font_01_sfnt_off00007d0f.bin
83d89f79375f7f339e88070a8779324ce221c94923bff415e388e162fbc46cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D0F 2604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.