Malicious PDF — malware analysis report

Static analysis result for SHA-256 413bb808d556d080…

MALICIOUS

PDF

30.9 KB Authoring application: PDF Studio
MD5: 48d67bd235845538c14fe9ea92e8c344 SHA-1: f71e88409724a92d8b10ed144172beb510fa5fad SHA-256: 413bb808d556d08075af7f5630121e2b7569058a9c1f68346caca9a3c068cd60
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified as a link farm. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic redirection intent. The document body, though partially corrupted, contains references to yoga and spondylosis, likely as a lure to disguise the malicious nature of the embedded links. The primary attack pattern involves directing users to a network of external PDF files hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cerecdigitallab.com/uploads/1/3/0/4/130488924/gugobetel.pdf
    • http://pvcdesignz.com/uploads/1/3/0/7/130739828/972710.pdf
    • http://chihuahuafrentealcambioclimatico.com/uploads/1/3/0/6/130621032/a6ba074905.pdf
    • http://whiddenprinting.com/uploads/1/3/0/7/130776659/redaterakib.pdf
    • http://becomeamedicareagent.com/uploads/1/3/0/5/130539676/be3ecd36e.pdf
    • http://mjacoby88.com/uploads/1/3/0/5/130589099/1566108.pdf
    • http://spintosouza.com/uploads/1/3/0/6/130621272/7675366.pdf
    • http://iscreme.com/uploads/1/3/0/8/130813373/wawevore.pdf
    • http://tikilands.com/uploads/1/3/0/5/130590298/fozomuvafab.pdf
    • http://jbheatonresearch.net/uploads/1/3/0/5/130551764/7579400.pdf
    • http://pitek.net/uploads/1/3/0/3/130323409/7f753c817104.pdf
    • http://michaelshusko.com/uploads/1/3/0/6/130605167/130605167.html#baba+ramdev+yoga+for+spondylosis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002526.bin
6e43a3d897d798a9be5a53a8798dbecb016be7af0fff0c1cc8ff4ba3cb966ca6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2526 6660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.