Malicious PDF — malware analysis report

Static analysis result for SHA-256 42bcd29adccd8664…

MALICIOUS

PDF

32.1 KB Authoring application: pdf-parser
MD5: 9235b96d4a8c40185e1ed1802218ead7 SHA-1: d67f5974a5d38ff61a0e0bdd43ee8a59260aea2b SHA-256: 42bcd29adccd86640d6940cc04679b87ee8b3c0ae6594b830b49b9b315086f3a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing. The document body itself is heavily obfuscated and contains a mix of seemingly random text and URLs, reinforcing the malicious nature of the file.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tintanegrahtx.com/uploads/1/3/0/5/130539182/dimogapomuxusasutur.pdf
    • http://xokotafuji.amazon-sellers-fba.com/uploads/2020/01/27/fezagalixo_nigatagudu.pdf
    • http://morganrv.com/uploads/1/3/0/6/130639398/tujozumusepo-pelofoduw.pdf
    • http://newindanderyd.com/uploads/1/3/0/5/130543476/8e20342f.pdf
    • http://stillwaterswellness.org/uploads/1/3/0/6/130640105/faxajoniliduwe.pdf
    • http://mynuagain.com/uploads/1/3/0/5/130543536/fenapozidadevu-viduxofixur-zavedilevomi-baxawidavotojuk.pdf
    • http://peaceloveyogaindex.com/uploads/1/3/0/4/130435601/silobix.pdf
    • http://readytoadopt.ca/uploads/1/3/0/3/130312957/4913060.pdf
    • http://livegreaterdayton.com/uploads/1/3/0/4/130435962/pipip.pdf
    • http://rizojexif.ledy-boss.su/uploads/2020/01/27/8511378.pdf
    • http://blockchainitalia.online/uploads/2020/01/28/2605204.pdf
    • http://vancouverislandpremiumhardcandy.com/uploads/1/3/0/6/130605001/f9a1aaa.pdf
    • http://scimedart.com/uploads/1/3/0/6/130621101/914fecab7.pdf
    • http://mountainfestival.org/uploads/1/3/0/5/130551585/getebefi.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/6/130603847/130603847.html#premam+chinna+chinna+song+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013b2.bin
1573409f0b4a9e4cdd51a38a0307dd64bbeeba38458c2bc1336782cef54f10f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B2 7960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.