Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ce3c11fa8f6f252…

MALICIOUS

PDF

58.8 KB Authoring application: SWFTools
MD5: 8a26611c63369174d432784b3a6b29f4 SHA-1: 0314495d10c2ad2634896929b8873e6e8d9a226d SHA-256: 3ce3c11fa8f6f252e16d2d2c5c5fa6ee6a96aef86640862274fdb1ed23999a10
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The primary malicious URL identified is http://mopidida.sharkdesarrollos.com/uploads/2020/01/27/ff65a2c16e.pdf.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mopidida.sharkdesarrollos.com/uploads/2020/01/27/ff65a2c16e.pdf
    • https://firesugufiz.weebly.com/uploads/1/3/0/2/130287503/fanivi-jorezinegat-zafeketobokow-fajuduza.pdf
    • http://thecolorpurple.org/uploads/1/3/0/4/130436450/2d851bdb86.pdf
    • https://xarawovuboju.weebly.com/uploads/1/3/0/6/130603866/jobijimuzakejo.pdf
    • http://bayareaspark.com/uploads/1/3/0/4/130435524/9368464.pdf
    • http://tate.betterqualityreviews.com/uploads/2020/01/29/paxuzeviwisalum.pdf
    • https://pavexonu.weebly.com/uploads/1/3/0/3/130323597/825d589a.pdf
    • http://nsmagix.com/uploads/2020/01/27/webeketar-siburivoxibi-losonab.pdf
    • http://msmyer.weebly.com/uploads/1/3/0/5/130588783/8c2dd81079b0e.pdf
    • http://portal.createweb24.com/uploads/1/3/0/6/130621077/130621077.html#blanche+neige+grimm+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013a2.bin
d1f448c92f3f6ea5e9b38fd00a4ab7aca6d77b54b291c8e4924399419f3ea1c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A2 8516 bytes
font_01_sfnt_off0000a099.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA099 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.