Malicious PDF — malware analysis report

Static analysis result for SHA-256 47f243a338d5dc29…

MALICIOUS

PDF

47.6 KB Authoring application: PDFBox
MD5: 6fbb32733d0acd8b4cb4ae96bf5f3c6c SHA-1: 112f6df8c4d7a6d1ab37a80805c0c590a1cd57fc SHA-256: 47f243a338d5dc290d70721f12866eb8de50afdc0132e9eac676a98cb47f8019
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious intent. No scripts were extracted from this sample, and the document body contained mostly obfuscated or irrelevant text.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.yourproject30.com/uploads/1/3/0/2/130274263/pukonuko-zomifesewofur-lejazavam-fufetene.pdf
    • http://monteur-zimmer-gelsenkirchen.de/uploads/1/3/0/5/130551141/nelisowotade.pdf
    • http://www.investmymoney.net/uploads/1/3/0/5/130588550/mokevosudebibiv.pdf
    • http://scarpegps.com/uploads/1/3/0/2/130273578/f739e5df6c78.pdf
    • http://byhumano.com/uploads/1/3/0/3/130324418/25f3bb2f44fe86.pdf
    • http://nicolefcohen.com/uploads/1/3/0/7/130738912/2692948.pdf
    • http://piropeandopueblo.com/uploads/1/3/0/6/130621490/6550356.pdf
    • http://isaacliu.info/uploads/1/3/0/5/130590521/disefepetabapotati.pdf
    • http://www.sm.vaughnschool.com/uploads/1/3/0/6/130639342/logexoxomego_bowoke_milijuvujefiv_vesom.pdf
    • http://mail.affordablecreditsolutions.net/uploads/1/3/0/5/130588438/72336.pdf
    • http://malaguenasabq.com/uploads/1/3/0/4/130436473/c49d52edae8733.pdf
    • http://mail.christalighthealing.com/uploads/1/3/0/2/130287299/xuboni-xakukidobodaj.pdf
    • http://a1810123xstreamtravel.xsideas.com/uploads/1/3/0/9/130969052/130969052.html#egypt+old+kingdom+rulers

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049ee.bin
1a4e50dada26f0234569cadd5ca6ee17ab11527fcb6890099a8776b8f80296c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49EE 16100 bytes
font_01_sfnt_off000061a7.bin
66ee65714789c94aa1413c1ee95a9bd1abc26dd5da9b79369131758f67feced6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61A7 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.