Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a3355773f730dc3…

MALICIOUS

PDF

37.3 KB Authoring application: Karbon
MD5: ff1852816fca365573a7f3b33fa944a6 SHA-1: 0f5e4850bada3fcd4d30b5b2707a3630a9534a9a SHA-256: 4a3355773f730dc334b60dcd56b893b2b39319356134b86f9c8f49f4a625155b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall. The primary intent appears to be SEO manipulation or distributing a large volume of links, potentially for phishing or malware distribution, using the domain eisk-ads.com as a prominent host.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eisk-ads.com/uploads/2020/01/28/dapifukimalotaw.pdf
    • http://fenuwixi.lavka-med.ru/uploads/2020/01/27/xavapitapefe_xefex.pdf
    • http://siaenext.com/uploads/1/3/0/5/130552043/28acd150b7b067d.pdf
    • http://momumomu.weebly.com/uploads/1/3/0/6/130639608/8782283.pdf
    • http://xylitogum.net/uploads/1/3/0/2/130272902/14cb40326613.pdf
    • http://offalyit.com/uploads/1/3/0/4/130435746/0fc30540a533.pdf
    • http://ntihomirova.com/uploads/2020/01/28/c0c93b04244.pdf
    • https://tofisegogakof.weebly.com/uploads/1/3/0/5/130589202/3212932.pdf
    • http://inlumoslibertas.com/uploads/1/3/0/2/130289478/kogoniginutup.pdf
    • https://wusatewopojo.weebly.com/uploads/1/3/0/2/130272978/c6ebae4a193b1e.pdf
    • http://nomoreheroesnovel.weebly.com/uploads/1/3/0/4/130475918/14d9e1214.pdf
    • http://conwaymodelengineering.com/uploads/1/3/0/5/130589339/4346129.pdf
    • https://gidenozaf.weebly.com/uploads/1/3/0/5/130551775/lidarevudafinule.pdf
    • http://lamaj.nyc/uploads/1/3/0/2/130271201/5685238.pdf
    • http://lookingatplants.com/uploads/1/3/0/4/130483928/xagotolid_duvetoditukeg_donex.pdf
    • http://krasota12.ru/uploads/2020/01/27/9df94cd2268.pdf
    • http://stjohnslutheranchurchjenison.org/uploads/1/3/0/2/130271095/salol.pdf
    • http://angelajobin.com/uploads/1/3/0/5/130551585/mikug.pdf
    • https://bugulobo.weebly.com/uploads/1/3/0/4/130477152/nuxelidi.pdf
    • https://guzipesezigepof.weebly.com/uploads/1/3/0/5/130588230/doxuwu.pdf
    • http://michaudwellness.com/uploads/1/3/0/5/130550966/130550966.html#hypokalemia+guideline+pediatric

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001551.bin
a4b718109b12e40e4d66dac8dcd5a780b834b991f862714687e2dd3077db7d8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1551 7676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.