Malicious PDF — malware analysis report

Static analysis result for SHA-256 49066ebf0a11807d…

MALICIOUS

PDF

119.6 KB Authoring application: pstoedit
MD5: 4724f02d3ac00bfca2f08ca8269b360a SHA-1: 66f13e6c01c681cd44cd0abbd7292ff8378a5248 SHA-256: 49066ebf0a11807d50dc2e95fb4d672cb3a98c034ac32fe1e8f404be72b11f97
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alternativemedicine24.com/uploads/1/3/0/2/130291624/35d044641be1.pdf
    • http://readingforliberation.com/uploads/1/3/0/4/130488994/8667528.pdf
    • http://bridgecrowdfunding.com/uploads/1/3/0/5/130589401/dojagolinoso.pdf
    • http://branchettastreasures.com/uploads/1/3/0/4/130483286/7959561.pdf
    • http://vipiski-besplatno52.icu/uploads/2020/01/28/4409454.pdf
    • http://mosquee-alforqane-lille.com/uploads/1/3/0/6/130604952/pusubarog-gogakobun-linesivaxobon.pdf
    • http://ncaavideogame.com/uploads/1/3/0/5/130543169/eaedb.pdf
    • http://cobourgfarmersmarket.com/uploads/1/3/0/4/130476062/datunasilinubi_xivegaduwar_kujawamora.pdf
    • http://cityonloc.com/uploads/1/3/0/7/130776688/130776688.html#endocrine+society+clinical+guidelines

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000136d.bin
4cb43b3131a4a71c941a012c88d3e17cfb43939e4c87bcb3aa1f713ea189880e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x136D 8884 bytes
font_01_sfnt_off00006915.bin
0473bf2941649ad4f587df752becef8560cefb997e3278b69f5193ef5c86f1af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6915 3368 bytes
font_02_sfnt_off0000740b.bin
0ebfec5e5178e3f10c7d92982b41666f34bd678211c1739bd6f223c417de5083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x740B 16396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.