Malicious PDF — malware analysis report

Static analysis result for SHA-256 42518a86f4adda9b…

MALICIOUS

PDF

48.0 KB Authoring application: Scribus
MD5: 5b15e6af90baa03eb7423e6f23037a8d SHA-1: d1a48649beb6ec427109bda85186849adef7e816 SHA-256: 42518a86f4adda9b7b179f1786ee8278c073830fec7d76b66713d6db858e9df9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links pointing to external PDF files, a technique commonly used for phishing or distributing further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection campaign. No scripts were extracted, but the heuristic 'PDF_SEO_LINK_FARM' indicates the primary malicious function is the mass generation of external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rivergeenewsday.com/uploads/1/3/0/4/130489650/dumunuzefero-bifilolobena-sosefexujagiraf-xixik.pdf
    • http://www.zirconiaedu.com/uploads/1/3/0/6/130605108/6007045.pdf
    • http://www.yourhomedesigns.us/uploads/1/3/0/4/130489371/88e5b669b94a39.pdf
    • http://enrtwinz.online/uploads/1/3/0/2/130289311/ruxez_webegosomij_midebeboju_peviweko.pdf
    • http://allfrets2015.com/uploads/1/3/0/7/130776197/tebejibamilesu.pdf
    • http://performancecrateengines.com/uploads/1/3/0/4/130489029/tutipisipo_lesimeniba.pdf
    • http://swctoa.com/uploads/1/3/0/6/130605412/gofewuboburo.pdf
    • http://www.chattaqueery.com/uploads/1/3/0/5/130539691/a90e3d6b5f103.pdf
    • http://wineandwhiskey.net/uploads/1/3/0/6/130604524/8a8e2533d.pdf
    • http://www.cainimprovements.com/uploads/1/3/0/6/130621959/tutujareb.pdf
    • http://thehiphopsutra.com/uploads/1/3/0/2/130289755/2456817.pdf
    • http://central24h.com/uploads/1/3/0/6/130640071/saziwefimu_tuporegasa_rulogerelur.pdf
    • http://alwayslocalmarketing.com/uploads/1/3/0/2/130289738/geginonibepetilub.pdf
    • http://dorset-bike-ride.com/uploads/1/3/0/5/130589342/2548266.pdf
    • http://meghanjaneiro.com/uploads/1/3/0/6/130620321/mumeziregariwov_komemovasel_pegutobuwimaw_sivuw.pdf
    • http://campaignartwork.com/uploads/1/3/0/7/130740316/84f8c7b5.pdf
    • http://marcusphotography.net/uploads/1/3/0/2/130288762/1893360.pdf
    • http://renaferioli.com/uploads/1/3/0/6/130621383/2835867.pdf
    • http://masseffectgame.com/uploads/1/3/0/4/130435766/futugobepi.pdf
    • http://myersmindset.com/uploads/1/3/0/8/130874276/zigod.pdf
    • http://sunrise.websalve.com/uploads/1/3/0/7/130776676/130776676.html#ascaris+lumbricoides+tratament

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a87.bin
e2d82335cd8c145bdc37e7fcd12f7d8e379d147dff04353aa7960581ccc6f3b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A87 8820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.