Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b988aa6291c5062…

MALICIOUS

PDF

40.7 KB Authoring application: Serif PagePlus
MD5: f7f70a64d1f9ed0efe8d9292109e3679 SHA-1: 275c6d70c471fe577b6ec47b55fd89adaa7aa61f SHA-256: 3b988aa6291c5062e494598a0c068f0519ff7820cad57c7c07ff70490ef728b4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a 'PDF_SEO_LINK_FARM' heuristic, pointing to external PDF files. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the presence of a 'SE_DOWNLOAD_BUTTON' heuristic further indicate a phishing or malware distribution attempt. The primary IOC is the first URL in the link farm, http://jum.support-account.net/uploads/2020/01/28/da8a07dd35.pdf, which is likely the intended destination for the user.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jum.support-account.net/uploads/2020/01/28/da8a07dd35.pdf
    • https://zidasowup.weebly.com/uploads/1/3/0/2/130289397/sebejobulatadad.pdf
    • http://eshorttech.com/uploads/2020/01/28/fesuse-pagopipawawot-jeniborodure-komexa.pdf
    • https://matokizojatu.weebly.com/uploads/1/3/0/4/130489159/busizuzafig.pdf
    • http://lomilasig.tathydro.ru/uploads/2020/01/28/nuwiraxeripew.pdf
    • http://xaxa.cejusthepron.com/uploads/2020/01/28/biwopotafewom-mizavedaku.pdf
    • http://paw.goodway.su/uploads/2020/01/27/3594439.pdf
    • http://letstakemetoad.com/uploads/2020/01/28/wanenemipo.pdf
    • http://vur.cryo-mag.ru/uploads/2020/01/28/luzawitivifav-zevapibenuwoxo-zabunafifoge-dobefe.pdf
    • http://nuxazaxu.miradorbascamao.com/uploads/2020/01/28/dofujiwotavev.pdf
    • https://nugojorazum.weebly.com/uploads/1/3/0/5/130551192/buvozukodo_deriral.pdf
    • https://dusebowegowaj.weebly.com/uploads/1/3/0/3/130379205/8920912.pdf
    • https://nosisasike.weebly.com/uploads/1/3/0/5/130545895/tewigupabivezawawona.pdf
    • https://guwojufobema.weebly.com/uploads/1/3/0/4/130436236/12e8f33577e.pdf
    • https://jumodagoserew.weebly.com/uploads/1/3/0/3/130379549/pebuv_warero_pugarazuxe_gozifubu.pdf
    • https://kidibibore.weebly.com/uploads/1/3/0/4/130476601/130476601.html#pdf+para+excel+i+love+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000148a.bin
f4e9fc94a599fe2c86d7404caf9a980763107f3c113a16157fec42e3d3707b39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148A 8964 bytes
font_01_sfnt_off000054e0.bin
9dbefd29ad56edc3ec27c88540d7d41398a664ae3f1544cdca53ccca226c91b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54E0 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.