Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a9956d9312bd7b8…

MALICIOUS

PDF

54.9 KB Authoring application: Soda PDF
MD5: 93a524089c9ce9c68405df1d110274d5 SHA-1: 696ea90e92b4bc6d1b69d4d9d8a550d8e4a3faa0 SHA-256: 4a9956d9312bd7b8dcb4a9a249b1fe1ffdef2563145d7f1a85f338c7538d1a19
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to other PDF files hosted on suspicious domains. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the PDF_SEO_LINK_FARM heuristic indicate a phishing or malicious redirection attempt. The document body, while containing garbled text, also includes URLs that are likely part of the lure. The primary attack pattern involves redirecting users to malicious content disguised as a user manual.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://love-your-mind.com/uploads/1/3/0/2/130291552/aadc6aa6.pdf
    • http://khemicalvex.com/uploads/1/3/0/4/130476322/5822546.pdf
    • http://mohousing.weebly.com/uploads/1/3/0/4/130483329/nuwatasabol.pdf
    • http://profesionallashes.com/uploads/1/3/0/4/130436197/f7c9a6fa.pdf
    • http://nj-photo.dk/uploads/1/3/0/6/130639698/0ecf5f687e6c3e2.pdf
    • https://jeninapefazi.weebly.com/uploads/1/3/0/4/130488583/saxufikojajuled.pdf
    • http://amadorrunning.com/uploads/1/3/0/5/130551341/130551341.html#maxisys+elite+user+manual

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010b5.bin
dcfc919e22161e0d1a81db8511603d39d05d86edb5720167907206fc7d9f09ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B5 8496 bytes
font_01_sfnt_off000087c0.bin
90716bc7fa3e51e0cf9196a0becff50e3af56da5694a30e8b8c8371c46b410cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C0 9728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.