Malicious PDF — malware analysis report

Static analysis result for SHA-256 3feadba79cd197e3…

MALICIOUS

PDF

43.3 KB Authoring application: Poppler-utils
MD5: 75cc5d4bc8b1136d537dc03543a236b1 SHA-1: 42954903502b0447eb3fc014034307bd3f2405bb SHA-256: 3feadba79cd197e3a2c177116b6c0436b5f1ff506bf44cffa8b347e3f5278749
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious distribution intent. No scripts were extracted from this sample, and the document body was unreadable, so the rationale is based on the heuristic firings and the extensive list of external URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://unitedinfood.com/uploads/1/3/0/3/130379151/xerinebumunifo.pdf
    • http://slater.blog/uploads/1/3/0/6/130604744/767229.pdf
    • http://bcn-fashionhouse.com/uploads/1/3/0/5/130588775/ebb6274d6.pdf
    • http://elateyoga.org/uploads/1/3/0/6/130603731/norusijigibasinu.pdf
    • http://kelleycarney.com/uploads/1/3/0/7/130739711/jiladikisojav.pdf
    • http://peristeri-guide.com/uploads/1/3/0/2/130270953/giralefumilebovajalo.pdf
    • http://pleasantcommunities.com/uploads/1/3/0/5/130543070/7570800.pdf
    • http://theaffectionanthology.com/uploads/1/3/0/5/130547024/5165bdf.pdf
    • http://tikadek.store/uploads/1/3/0/7/130740141/pesopuxun.pdf
    • http://aquaticsspace.com/uploads/1/3/0/6/130639933/jevutifuwuf_xakemiruxunumif_pewuku.pdf
    • http://mindovertri.co.uk/uploads/1/3/0/3/130313249/nagazise.pdf
    • http://gamertraininginstitute.com/uploads/1/3/0/4/130435821/luperaxivefudaz_genurunoduwufa_fefojevokeb_fobusunu.pdf
    • http://mismedicos.net/uploads/1/3/0/5/130590521/611557.pdf
    • http://nataliewalschots.net/uploads/1/3/0/5/130588508/xetiruguran-tuvitomibova-xuxena.pdf
    • http://ias-y.club/uploads/1/3/0/5/130590334/81d0b89555.pdf
    • http://midster.net/uploads/1/3/0/2/130272573/tabesazex.pdf
    • http://designedtobedope.com/uploads/1/3/0/4/130477085/xurotez_boxugofob.pdf
    • http://apianalosangeles.com/uploads/1/3/0/4/130489833/3044716.pdf
    • http://desatascosgranollers.com/uploads/1/3/0/4/130489247/6214060.pdf
    • http://musicforsoho.com/uploads/1/3/0/6/130621700/biken-kepevuv.pdf
    • http://carypestpros.com/uploads/1/3/0/4/130483842/nofiwiv_losisigifag.pdf
    • http://vps11-internal.pleasingfood.com/uploads/1/3/0/6/130621826/130621826.html#southeast+us+map+states+and+capitals

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d49.bin
ff27d99f049fa5ec83b4c3710afe1f9aee00eb20942a9349d435d4ca5ad10f97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D49 16388 bytes
font_01_sfnt_off000045ca.bin
d3b953d612e213bd4e318fd2eab94593b726bfc4561bc4132b7a0ab3e7202017		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45CA 8964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.