Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e51484edf45fac4…

MALICIOUS

PDF

35.8 KB Authoring application: pstoedit
MD5: 3b7e7023fd745cbe918567fc1b7109f7 SHA-1: 3c82d8fe8837671cfab1c2ba6a735ae89ddd6340 SHA-256: 3e51484edf45fac4b481660d3290fa1dfdd648f1a43a4f55e4ed55e400474f3c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The embedded URLs are likely used to direct users to malicious websites for credential harvesting or further malware delivery.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tele2phone.ru/uploads/2020/01/29/dfa949a21.pdf
    • http://partnerkimho.ru/uploads/2020/01/28/9805070.pdf
    • http://fobujexuje.paypal-support.bz/uploads/2020/01/28/fexeguguvoz_relenudoxarare_fimadisujepelax.pdf
    • https://dadumazuxud.weebly.com/uploads/1/3/0/3/130313038/4592181.pdf
    • http://mebabox.canvasland.ru/uploads/2020/01/28/320bc9ecb5.pdf
    • http://reduzepo.gruzavi.ru/uploads/2020/01/29/4d407783f50863.pdf
    • http://wirun.maturitas.ru/uploads/2020/01/29/fafabinuge_kozojexoder_lovol.pdf
    • https://futetekixokep.weebly.com/uploads/1/3/0/3/130323789/1128191.pdf
    • https://kiwanuwux.weebly.com/uploads/1/3/0/2/130289166/xadaw.pdf
    • http://tig.jetscan.tech/uploads/2020/01/27/dufabox.pdf
    • http://productdesigntools.com/uploads/1/3/0/5/130543468/028712a4b125.pdf
    • http://gudal.ustroymsk.ru/uploads/2020/01/28/liwasapan_kimokekijasev_kureseso_romolufaz.pdf
    • http://steptkd.org/uploads/1/3/0/4/130478160/rupijemix.pdf
    • http://podarklyazhnschin.fun/uploads/2020/01/28/f5e7fde7.pdf
    • http://fakerybakery.com/uploads/1/3/0/2/130291673/vasevitivilo.pdf
    • http://customcabinetrybydiversifiedfixture.com/uploads/1/3/0/4/130483492/2248562.pdf
    • http://alextindall.net/uploads/1/3/0/2/130289238/runapedulemafamuse.pdf
    • https://mozikado.weebly.com/uploads/1/3/0/3/130323115/rudezapad-kurupuvomixet-xugodukibawuwi.pdf
    • https://kudefinigumol.weebly.com/uploads/1/3/0/2/130270907/47a6809ac02df4.pdf
    • http://bejustalittlebetter.com/uploads/1/3/0/5/130590323/130590323.html#ungrouped+data+questions+and+answers

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000157d.bin
defb99a0d40657fdddc64a306fe5944a6ac6c9be69a174668d7d252d1a94b859		 pdf-font-stream PDF embedded font (sfnt) at offset 0x157D 7684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.