Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f6cf9c9be6e1590…

MALICIOUS

PDF

48.9 KB Authoring application: Nitro PDF
MD5: 87ea864bca774c48f40a819a38eb38ef SHA-1: 329f46b43b543ade997d59850d6d125efa66edcc SHA-256: 3f6cf9c9be6e1590429054bd15de96907062da1ed7f8d4d52cdfbfca6d4134ad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique commonly used in SEO poisoning and phishing campaigns to direct users to malicious sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this. The embedded document body text is heavily obfuscated and does not provide clear intent, but the overall structure and heuristic firings strongly indicate a malicious link farm designed to distribute further payloads or phish credentials.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://getquicklabs.com/uploads/1/3/0/4/130476085/ratigesaruvurobug.pdf
    • http://firesidefarm.org/uploads/1/3/0/6/130604140/jepulo_vosomusuvefej_zobipezadu_tuwesif.pdf
    • http://verifiedaire.com/uploads/1/3/0/7/130775845/b485adc354089.pdf
    • http://mgpsfm.com/uploads/1/3/0/2/130288762/dalota.pdf
    • http://ketosupplements.us/uploads/1/3/0/7/130775347/berek.pdf
    • http://happyhornet.com/uploads/1/3/0/6/130639849/7e1b50cf35.pdf
    • http://jeanniehouchins.com/uploads/1/3/0/6/130621292/5721261.pdf
    • http://platinumdancecompany.platinumdancecompany.com/uploads/1/3/0/2/130289741/posidupu-kawinetefelaka.pdf
    • http://executivecareercoachinstitute.com/uploads/1/3/0/7/130776828/514ea749780354.pdf
    • http://quantumspirit.us/uploads/1/3/0/4/130483748/jafezogap-ravudiv-liruguw-zafunenowitu.pdf
    • http://gwbtmh.bdgct.com/uploads/1/3/0/5/130552106/130552106.html#uniform+distribution+moment+generating+function

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000417d.bin
67fc894c08aa9b18c71306c7644a9adb96c372f012ea6234634c5c8540747d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x417D 3240 bytes
font_01_sfnt_off00004c6d.bin
6b24ea16bc748f8572ba08af5234ef0dceb84a8e2b3b4634c9daf8b6cff5781c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C6D 16300 bytes
font_02_sfnt_off0000655a.bin
0147f2fb4e93a67136fb3531e9a7f32bafb3287f57c4f71fc124e8be6859485d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655A 9196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.