Malicious PDF — malware analysis report

Static analysis result for SHA-256 481c4e7c1d6c2229…

MALICIOUS

PDF

30.1 KB Authoring application: PDFedit
MD5: 61d4ef2493d93aa9d37936ba95d5be76 SHA-1: f3320fec188d09a61e266fffe5d2b13534d2970c SHA-256: 481c4e7c1d6c2229c0292e94164cd63544cfcfbfcc26a1fd6f985dc97aca46d0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body itself contains some text related to a religious book, but the primary malicious activity appears to be the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cltprep.com/uploads/1/3/0/2/130272290/viteka.pdf
    • http://jubutunu.tiningthet.pro/uploads/2020/01/29/mabonabimofegukawafe.pdf
    • http://moxedi.spadesign.ru/uploads/2020/01/28/cf45258f98.pdf
    • http://arturotrovato-vo.com/uploads/1/3/0/5/130543878/fetulotipeke.pdf
    • http://wuxerodi.lesperformance.net/uploads/2020/01/28/3470268.pdf
    • http://revivelifechurch.org/uploads/1/3/0/6/130620651/tebuzamogekazix_xalone_bosowip.pdf
    • http://fotodom-rzn.ru/uploads/2020/01/28/nitomaxoxina.pdf
    • http://nuf.sanacomounamanzana.com/uploads/2020/01/28/sepexedo.pdf
    • http://faxepip.tierheilbehandlung.com/uploads/2020/01/27/6191dbcec.pdf
    • http://freshideamama.com/uploads/1/3/0/3/130313166/tasipisikin-lezuvosefum-xowode-kufovuseduwegad.pdf
    • http://serenavitabirth.com/uploads/1/3/0/5/130551941/xusanobewalelon_roligisedobivi_ribip_komujudevor.pdf
    • http://apauline.com/uploads/1/3/0/5/130590545/xatakemurejelus.pdf
    • http://kixuf.spec-techavto.ru/uploads/2020/01/28/f2f652fd7e6.pdf
    • http://seziwi.biohimchistka.ru/uploads/2020/01/27/be6a85af87c0f2.pdf
    • http://cfthomas.com/uploads/1/3/0/6/130605307/130605307.html#el+reino+de+dios+y+su+justicia+guillermo+maldonado+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013da.bin
2be68abbb4cde01a1b580635906d9f88217a689fe2f7bf394c4d063039e250da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DA 7264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.