Malicious PDF — malware analysis report

Static analysis result for SHA-256 472ed102ce42abc9…

MALICIOUS

PDF

40.4 KB Authoring application: PDFedit
MD5: 48c4ad86c6e27d77a4053ef82ee361b2 SHA-1: a22f994e4c5297146312480d4a8aa0b250bd2c19 SHA-256: 472ed102ce42abc9e91ba7cb5f4806acba3a0962fe7ad91d51909f2cdf54c83b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to external PDF files, indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection intent. The document body, while containing some readable text about Achilles tendinopathy, appears to be largely obfuscated or irrelevant to the primary malicious function.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://duilawvt.com/uploads/1/3/0/2/130288540/1af10f.pdf
    • http://wormshare.com/uploads/1/3/0/6/130620233/89d61fbfc8373b9.pdf
    • http://hypernox.net/uploads/1/3/0/2/130289724/tojudevivoba.pdf
    • http://silentlyfallen.org/uploads/1/3/0/6/130620366/bolofuvu.pdf
    • http://hiddenpotentialcoaching.com/uploads/1/3/0/2/130289338/widaluxaxokek.pdf
    • http://coastalbarn.com/uploads/1/3/0/7/130775694/d1f8f254b634c73.pdf
    • http://thevisualnarrative.com/uploads/1/3/0/2/130274355/5602459.pdf
    • http://qualityfrags.com/uploads/1/3/0/3/130313428/3390970.pdf
    • http://cancercars.net/uploads/1/3/0/8/130874091/997a398d095353.pdf
    • http://clamagorereef.com/uploads/1/3/0/2/130291589/8678219.pdf
    • http://portraitsformodernpeople.com/uploads/1/3/0/2/130287852/8710110.pdf
    • http://sweetlyavas.com/uploads/1/3/0/5/130543598/8593303.pdf
    • http://test.jungw8.com/uploads/1/3/0/7/130740480/pokitirewe.pdf
    • http://brianbottcher.com/uploads/1/3/0/6/130639034/gitutuwalojavafelub.pdf
    • http://gymdominator.com/uploads/1/3/0/6/130605341/gaverepunekamirod.pdf
    • http://jdlockhartphotography.com/uploads/1/3/0/5/130543064/ef253c9fc77.pdf
    • http://mmcarterconsult.com/uploads/1/3/0/2/130289045/zanemifef.pdf
    • http://terrancedennis.com/uploads/1/3/0/5/130551126/ralit.pdf
    • http://mylesateliersdenine.com/uploads/1/3/0/6/130620968/505214.pdf
    • http://stazkoassociates.com/uploads/1/3/0/2/130271090/vogofadasowobibapop.pdf
    • http://bonothechristian.com/uploads/1/3/0/5/130589014/sufoxazamisaj-tabujomitew-disozej-wuduvosawikewil.pdf
    • http://w83.brdge.org/uploads/1/3/0/6/130620557/130620557.html#calcific+insertional+achilles+tendinopathy
    • http://portraitsformodernpeople.com/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003dd1.bin
984537670dc715eada789afb21c948b526ff888fed8b249ca2e732ac7d2f573f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DD1 8012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.