Malicious PDF — malware analysis report

Static analysis result for SHA-256 4033b38eca3de184…

MALICIOUS

PDF

59.7 KB Authoring application: Mobipocket Creator
MD5: 3dedc35021075e25e179f7c83a7d6b31 SHA-1: 90387a00c08d614bdd7d988a458be5e20a026b1c SHA-256: 4033b38eca3de184167f64fabde432b020b7bbdc4f25bc0e3e70b34cb7da08a4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files across various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ClamAV heuristic also flags this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', further supporting a malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://surgicalwebcasting.com/uploads/1/3/0/5/130551302/kugifukowudabodes.pdf
    • http://newrootscharter.org/uploads/1/3/0/7/130739366/8480542.pdf
    • http://www.cutepawsonline.com/uploads/1/3/0/6/130604541/tuzaxulewago.pdf
    • http://robsvirtualretirement.com/uploads/1/3/0/4/130483507/85347.pdf
    • http://naominnewmexico.com/uploads/1/3/0/7/130738825/viwuluvux.pdf
    • http://worldgolflessons.com/uploads/1/3/0/5/130551898/3560340.pdf
    • http://thewholesomeway.net/uploads/1/3/0/7/130776319/d30a72f.pdf
    • http://blazzt.com/uploads/1/3/0/4/130488248/fasotakul.pdf
    • http://www.theheartofmassage.com/uploads/1/3/0/3/130379110/2578480.pdf
    • http://chungyenlin.com/uploads/1/3/0/6/130620340/8726708.pdf
    • http://controlledwatersolutionz.com/uploads/1/3/0/4/130483765/xitamopakaresat.pdf
    • http://masterhercraft.com/uploads/1/3/0/6/130639941/vubunut.pdf
    • http://draamasalo.com/uploads/1/3/0/3/130379145/bigowasizu_vedudotinaguk_xatagovetuped.pdf
    • http://dlpcustom.com/uploads/1/3/0/2/130270776/6167437.pdf
    • http://www.maclassenumerique.be/uploads/1/3/0/4/130489367/e9d81c440db5.pdf
    • http://philliplarsen.org/uploads/1/3/0/4/130436182/kokeweritexowemuvaxo.pdf
    • http://erjica.site/uploads/1/3/0/7/130739535/solujaje.pdf
    • http://patriciabondrn.com/uploads/1/3/0/5/130550952/ranokizijiw.pdf
    • http://rokuhispano.com/uploads/1/3/0/4/130477372/c398141.pdf
    • http://ojqp5vbe.brdge.org/uploads/1/3/0/9/130969434/130969434.html#lirik+lagu+sholawat+nariyah+dan+artinya

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00005b65.bin
77088aae898d221c97212b7580505f9be5115b86cdd0ecfd346a2f2667bc26bb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B65 27740 bytes
font_01_sfnt_off00008ba9.bin
786d098ac981b65ea5e9854bb93f660a01ae00bf7d129d94a8363d717247b1d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BA9 8252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.