Malicious PDF — malware analysis report

Static analysis result for SHA-256 42598057b8b50b0d…

MALICIOUS

PDF

41.6 KB Authoring application: pdf-parser
MD5: 47dceb4610d5e17bd4793449d443e33f SHA-1: 65e5c9e55c53b12d6ddf1932d27df904219219df SHA-256: 42598057b8b50b0dd0108421cc2721d97a9319eb1ae46c538a23544341ed6411
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicating a link farm likely used for SEO manipulation or to redirect users to phishing or malware sites. The primary heuristic firing, PDF_SEO_LINK_FARM, directly supports this assessment. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newpathorg.com/uploads/1/3/0/2/130271048/jitavefu.pdf
    • http://x-qual.com/uploads/2020/01/27/31c263.pdf
    • http://dianehulsejewelry.com/uploads/1/3/0/5/130544968/lepibizarezuloxuk.pdf
    • http://mordyhandmade.ca/uploads/1/3/0/4/130483558/3e6266710aeef.pdf
    • https://rubusaxenijipe.weebly.com/uploads/1/3/0/4/130483303/tuzerademidofezero.pdf
    • http://northeastbathrooms.co.uk/uploads/1/3/0/4/130476091/4008649.pdf
    • http://marissaleong.com/uploads/1/3/0/6/130605482/mavizewosazinu.pdf
    • http://vimux.zahopl.xyz/uploads/2020/01/28/somosi-fegep-gedipinaso.pdf
    • https://muxomesusibepa.weebly.com/uploads/1/3/0/2/130287929/pidiwek-murewogag-burasagidapawu.pdf
    • http://cannononlinemarketing.com/uploads/1/3/0/6/130604558/efdb5.pdf
    • http://dickbirdphoto.com/uploads/1/3/0/5/130541073/pezixewiwekup_legopil.pdf
    • http://medterramexico.com/uploads/1/3/0/5/130589287/zolijokir-tovezerovarixus.pdf
    • http://backtopulse.com/uploads/1/3/0/5/130588856/a8a541a77a88b1.pdf
    • http://rudingantengdarilahir.com/uploads/1/3/0/2/130273761/6654913.pdf
    • http://thehallatsaintgeorge.com/uploads/1/3/0/5/130588506/4264226.pdf
    • http://famefula.lechenienarkomanii-ivanovo.ru/uploads/2020/01/29/nujezafupovu_pedogubalen.pdf
    • https://mafadurafin.weebly.com/uploads/1/3/0/3/130379061/barovezikujal-vedapasazam.pdf
    • https://vexupowira.weebly.com/uploads/1/3/0/4/130483632/pediwelipav-meniso-kerifud.pdf
    • http://dancinggoatsanctuary.com/uploads/1/3/0/5/130588937/130588937.html#chalet+girl+full+movie

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000158c.bin
87dc580b3d5d955838f2238f72251b53b22940f37ab5cae468c8f907f3be103f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158C 8100 bytes
font_01_sfnt_off00005920.bin
7641fd6140d9681c899467113122cb3afaa93179dbbfbf3dbc75e92bab122a54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5920 16632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.