Malicious PDF — malware analysis report

Static analysis result for SHA-256 405f277c4076a0d0…

MALICIOUS

PDF

65.2 KB Authoring application: PDFedit
MD5: 61dfd72b1aaf04d4d171ea5fcc80b1be SHA-1: 865fef46a45b87dded8d9bb6ca2845ac641056b0 SHA-256: 405f277c4076a0d04f1a81b28c1a17c86d8aab66b16bce74e1aea3c8d514f39d
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The embedded JavaScript stream, while not directly analyzed for its payload, likely contributes to the redirection or obfuscation of the malicious links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and redirection nature of this document.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aldenmoves.com/uploads/1/3/0/6/130621973/jaxugezelam-botisi-mibutozekukaja.pdf
    • http://vpp-sales.com/uploads/2020/01/29/9120650.pdf
    • http://breadyboard.com/uploads/1/3/0/4/130435787/sirud-femoxomaxizo-larexoxekozoke.pdf
    • http://austenhohendorf.com/uploads/1/3/0/5/130590019/50e85c52f38.pdf
    • http://freeyourmonkey.com/uploads/1/3/0/5/130540926/ludezatowalesejin.pdf
    • http://nekimastrategy.com/uploads/1/3/0/6/130621349/katitemaganadit.pdf
    • https://rewixanenuk.weebly.com/uploads/1/3/0/2/130289266/naxejax_giwevapokes_labiromosivog_xivil.pdf
    • http://partyeventrental.weebly.com/uploads/1/3/0/4/130476141/e90a242ccd62.pdf
    • http://gitarosux.svadbaivolosi.ru/uploads/2020/01/27/a1a6a0b021d.pdf
    • http://powergeardrums.com/uploads/1/3/0/5/130588570/verepefebexewigexo.pdf
    • http://vofe.modernkutu.com/uploads/2020/01/28/2542022.pdf
    • http://pameladirnberger.com/uploads/1/3/0/5/130544889/130544889.html#air+pollution+modeling+and+its+application+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013b9.bin
6823d6120da5e112eba51e20f1ce1b0177fc711cd9fb8c6bcfd6644de3b81d51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B9 9488 bytes
font_01_sfnt_off0000af97.bin
43dc70b6a2d0f0400e5080c2cfef1bfa0583bf77e56b06911b007d479388fc01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF97 3016 bytes
font_02_sfnt_off0000b991.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB991 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.