Malicious PDF — malware analysis report

Static analysis result for SHA-256 461e8f2683c36848…

MALICIOUS

PDF

53.8 KB Authoring application: SWFTools
MD5: 92a3fbea47bf5203a76f36da68625630 SHA-1: c8884fa589bbcfb557febe272bfa9df9bd506f96 SHA-256: 461e8f2683c36848e3959ca12db0ec178dfe432a3273fc46642fa69e463afa7b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm, directing users to multiple external PDF files hosted on various domains. The document body presents a fake error message related to Android Studio, a social engineering tactic to trick users into clicking the malicious links. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malware distribution intent.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xikizuroxakan.weebly.com/uploads/1/3/0/3/130312996/1278309.pdf
    • http://vumazizozo.coldmineral-soap.com/uploads/2020/01/27/zuvitekaka-nipuratodo-pobed.pdf
    • http://zuwovidune.filelinux.com/uploads/2020/01/27/7908846.pdf
    • https://bidivagulopox.weebly.com/uploads/1/3/0/5/130552016/dobakeja.pdf
    • https://moxinatuzar.weebly.com/uploads/1/3/0/2/130272319/megafebo.pdf
    • https://fazufabuparofer.weebly.com/uploads/1/3/0/5/130540928/a97a0013bf4b.pdf
    • http://globaltoursjourneys.com/uploads/2020/01/29/ed1ebeda4.pdf
    • http://crtropicallivethedream.com/uploads/1/3/0/2/130270832/divabek-dulusilu-muvesizo.pdf
    • http://xutodi.mukhitdinov.org/uploads/2020/01/28/16f510c185.pdf
    • http://406cavapoos.com/uploads/1/3/0/5/130545882/baxudet.pdf
    • http://willspointbluebird.org/uploads/1/3/0/6/130621345/fawiz.pdf
    • http://100womenwhocarensc.com/uploads/1/3/0/6/130621290/vowatozed-dosozebegu-kobewevik-kaximuvozelomik.pdf
    • http://triadstartup.com/uploads/1/3/0/6/130639514/sujixibubulezoxo.pdf
    • http://novo-parfum.ru/uploads/2020/01/28/59e06a6848f.pdf
    • http://thatanimalgroup.org/uploads/1/3/0/2/130287920/xugerujena.pdf
    • http://mew3mew.studio/uploads/1/3/0/6/130639928/mukuvipidojitijomi.pdf
    • http://wawejolun.mydevice-apple.com/uploads/2020/01/28/detemofewibuli_kewigetigulob.pdf
    • http://theartofshade.de/uploads/1/3/0/5/130543575/361164.pdf
    • http://morganwaisner.com/uploads/1/3/0/2/130289765/94e83001.pdf
    • https://tovalopomep.weebly.com/uploads/1/3/0/6/130605258/zekojezamuzan.pdf
    • http://momentsbyval.com/uploads/1/3/0/2/130289279/3381718.pdf
    • http://scottrosenthalphoto.com/uploads/1/3/0/4/130435956/130435956.html#android+studio+gradle+project+sync+failed

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000168e.bin
92784b7a61f931b5aaa1b621caa8fa1a89d96c5b120d7c6c236cb756c4bcd618		 pdf-font-stream PDF embedded font (sfnt) at offset 0x168E 8212 bytes
font_01_sfnt_off00006dc7.bin
e4fc9d559f4a96377a8baf11d056b0c421df137d1df98bf5a0edfb5d4b0c863d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC7 16352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.