Malicious PDF — malware analysis report

Static analysis result for SHA-256 41d702d7432cdc61…

MALICIOUS

PDF

46.8 KB Authoring application: Pdftk
MD5: 75f982e54039b96b0f5f476548dd380b SHA-1: c0c8e6607e53090ad6312b6f42d026b75524f819 SHA-256: 41d702d7432cdc6150d66d8c6c7640c7963bbf9bb528f8fec1c6acbc8c83d244
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The primary function appears to be directing users to a network of websites, likely for phishing or SEO spam purposes.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mysifortenbery.com/uploads/1/3/0/6/130603715/8952291.pdf
    • http://kissbotr.com/uploads/1/3/0/6/130604590/9d87a9971e0a4bc.pdf
    • http://www.sandfestival.fr/uploads/1/3/0/5/130538946/folezulalevi.pdf
    • http://mta-sts.webmail.akkijyrkka.com/uploads/1/3/0/5/130588334/misupemavan.pdf
    • http://www.languagelearninglab.org/uploads/1/3/0/5/130550703/dipikokasowonag-nikavurit-pufepopig.pdf
    • http://kingdomartisans.org/uploads/1/3/0/6/130620956/1193686fd613.pdf
    • http://377844335453141080.com/uploads/1/3/0/6/130603917/5100984.pdf
    • http://realestateforsaleinmaine.net/uploads/1/3/0/2/130289474/2217107.pdf
    • http://herebeobjects.org/uploads/1/3/0/7/130738949/495807.pdf
    • http://cabrerahotels.net/uploads/1/3/0/5/130538939/6556752.pdf
    • http://mowerok.com/uploads/1/3/0/5/130543483/9971775.pdf
    • http://fastestwaytoloseweightsystem.com/uploads/1/3/0/6/130604885/lixajalewafawu-nunaneruxov.pdf
    • http://shopity.space/uploads/1/3/0/2/130289485/gafedeziba_fosek.pdf
    • http://graceandstassistyle.com/uploads/1/3/0/4/130483286/depixosi.pdf
    • http://bodhisattva-helse.net/uploads/1/3/0/8/130814513/tusupotuki.pdf
    • http://www.darkrulamedia.co.uk/uploads/1/3/0/7/130739626/3819208.pdf
    • http://brilliantnetworker.com/uploads/1/3/0/3/130313299/sulorosopuzuf_bulisux_nuwudesapapo.pdf
    • http://duilawvt.net/uploads/1/3/0/4/130435672/4786408.pdf
    • http://nimzocapital.com/uploads/1/3/0/6/130620474/32e1268bc62425.pdf
    • http://mta-sts.mail.giteregrunel.com/uploads/1/3/0/5/130590678/xidifixeg.pdf
    • http://cryptocashbackrebate.com/uploads/1/3/0/6/130604605/9692910.pdf
    • http://mckeelsfinejewelers.net/uploads/1/3/0/5/130542859/3769200.pdf
    • http://sisterhood-of-prosperity.club/uploads/1/3/0/5/130589186/pabixoxodapumi_jefomixumo_lawavetesabawit.pdf
    • http://www.adhere2care.net/uploads/1/3/0/6/130621303/9999261.pdf
    • http://campsteppingstones.com/uploads/1/3/0/6/130603696/ace9fb559eea3fc.pdf
    • http://74-123-77-103.mgwnet.com/uploads/1/3/0/6/130620689/130620689.html#life+intermediate+national+geographic+vk
    • http://www.languagelearninglab.org/uploads/1/3/0/5/130550703/dipikokasowonag

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005261.bin
beeaa1e14922fe4daefa09ff777594cbfaca572b086d90ca898e236253afee69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5261 8432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.