Malicious PDF — malware analysis report

Static analysis result for SHA-256 49d4f16a8aad5b5f…

MALICIOUS

PDF

61.9 KB Authoring application: PDF Studio
MD5: 7abcbacd4997c9a471bfd8221683f799 SHA-1: 8176c2842e1b4841d9efebed6aee619901612bfc SHA-256: 49d4f16a8aad5b5f0beedeee3a78a95511442c79522b6ccd1dba3c55a868c926
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The document body is heavily obfuscated, but the presence of numerous links suggests a phishing or SEO spam campaign. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jopimobow.weebly.com/uploads/1/3/0/5/130588902/1570952.pdf
    • http://rockstarsproductions.com/uploads/1/3/0/6/130621197/379827.pdf
    • http://owenmuirmd.com/uploads/1/3/0/6/130621284/4608372.pdf
    • http://zcbcspfld.org/uploads/1/3/0/5/130551749/sufedawizu.pdf
    • http://maqedsolutions.com/uploads/1/3/0/4/130488924/zuzaworal-zixiwenuno-fupafujelagoru-garabimaka.pdf
    • http://ziven.rutail.ru/uploads/2020/01/27/2332aa59dd1.pdf
    • http://realfengshuimaste.com/uploads/1/3/0/5/130539691/9642386.pdf
    • http://mofix.mehanikaavto.ru/uploads/2020/01/28/3943087.pdf
    • http://laising-swd.de/uploads/1/3/0/3/130323196/novivemiloge_pufevukakaz_kasene.pdf
    • https://wojowutawune.weebly.com/uploads/1/3/0/4/130478602/pupirurejupo.pdf
    • http://kicon-academic.com/uploads/1/3/0/5/130546343/jedirikoxeged-vewapu-tewuj.pdf
    • http://radiantrebelcollective.com/uploads/1/3/0/6/130621109/337991.pdf
    • http://qui.social/uploads/1/3/0/4/130478295/lowopebasodo-vobos.pdf
    • http://sharkdinghy.com/uploads/1/3/0/4/130483817/vanalipaf_padosowese.pdf
    • http://ways2life.com/uploads/1/3/0/3/130313577/vodigojolelex.pdf
    • http://nlg-pros.com/uploads/1/3/0/6/130620228/9029b687f6ede6b.pdf
    • http://cbconservation.com/uploads/1/3/0/6/130604202/3654860.pdf
    • http://doodlebugblessingsgoldendoodles.com/uploads/1/3/0/3/130323124/e3f395ea13d3.pdf
    • http://meshayla.com/uploads/1/3/0/3/130323157/130323157.html#html+tags+pdf+in+tamil

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ac.bin
b3ee511cf829b366cbf240577e8e8d3960e0098468b3d16bb0a241b16a0d1a66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AC 8576 bytes
font_01_sfnt_off000097be.bin
4233691bb35c041a4d4b98e1d9e22d064a2771ac4e81cd754eda4da929282be7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97BE 7676 bytes
font_02_sfnt_off0000ab1b.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB1B 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.