Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a824e9734754475…

MALICIOUS

PDF

91.1 KB Authoring application: GIMP
MD5: f25165ce6a1f9eb37cf628b8412e2a46 SHA-1: 44600490eabee5299c0f83d74ad931e232c625f8 SHA-256: 4a824e9734754475483b37311729e0bfbe9eaa12505720773b541a6c52f766c5
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many of which are structured as SEO-friendly URLs, suggesting a link farm or redirection mechanism. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicate a phishing or malware delivery attempt. The document body is heavily obfuscated and contains what appears to be malformed text, but the presence of embedded URLs and the link farm heuristic strongly suggest the intent is to redirect the user to malicious content, possibly disguised as a download or requiring a password for an archive.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrsseamonsclass.com/uploads/1/3/0/2/130288318/2638063.pdf
    • https://lobomimezexe.weebly.com/uploads/1/3/0/5/130544725/vokex.pdf
    • http://biking4life.org/uploads/1/3/0/3/130313359/wadekoj_koparalatisifu_kudarejakapaju_wafamowomupimud.pdf
    • http://xujib.lider-fruits.ru/uploads/2020/01/28/kidatukenadilipe.pdf
    • http://tawnellhobbs.com/uploads/1/3/0/6/130604692/8074883.pdf
    • http://westtechmobile.ca/uploads/1/3/0/2/130289359/caf9c54734b75.pdf
    • http://bearcreekaquatics.com/uploads/1/3/0/6/130604249/muvorugekazejorasoxa.pdf
    • http://giaycodong.com/uploads/2020/01/28/cd5f85.pdf
    • https://tuvixuvebemupul.weebly.com/uploads/1/3/0/4/130436415/xuxitutevilames.pdf
    • http://michelemoddesign.com/uploads/1/3/0/2/130272415/bewazukoxufi.pdf
    • http://fafidufoza.ilikepizza.ru/uploads/2020/01/27/4807149.pdf
    • http://christyhelps.com/uploads/1/3/0/5/130590140/relafakizopeju.pdf
    • http://fugelu.gost-stroy.com/uploads/2020/01/28/dasarikavajivorolasi.pdf
    • http://stopgemorroj.ru/uploads/2020/01/27/6214042.pdf
    • http://bridgestonehomestudy.com/uploads/1/3/0/6/130604369/4050888.pdf
    • http://recure.eu/uploads/1/3/0/2/130289632/007f5.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/6/130620645/130620645.html#ibm+aix+7.+1+expansion+pack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001470.bin
32cd404d7471f2700574476bd300ef5c401e3950a3d34894fdb00dbc8026b0c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1470 8976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.