Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c8aa9ee03356dfd…

MALICIOUS

PDF

37.0 KB Authoring application: Solid Converter PDF
MD5: fe3dc9a1378d2e89cd76bf7abfd46fb3 SHA-1: 57a7b8a87045bc8fc57c538a9deadb046c587510 SHA-256: 4c8aa9ee03356dfd3c2321a405201d3fc110caf637e9a378a5e3d2cb15a3f26e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a phishing or SEO spam campaign. The ClamAV detection further confirms its malicious nature. The embedded document body text, though heavily corrupted, contains references to financial accounting and managerial accounting, which could be a lure. The primary malicious activity appears to be directing users to download other malicious PDFs hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://justrj.com/uploads/1/3/0/3/130379718/lepafokoligosazabo.pdf
    • http://castlehallnews.com/uploads/1/3/0/4/130435784/1303814.pdf
    • http://cfohb.org/uploads/1/3/0/7/130775888/xenut.pdf
    • http://thearchitectsofsound.com/uploads/1/3/0/7/130740184/708719.pdf
    • http://costaricaluxury.rentals/uploads/1/3/0/6/130604185/1790496.pdf
    • http://allstarjamparty.com/uploads/1/3/0/2/130289236/45d1abfe.pdf
    • http://rowstersoda.com/uploads/1/3/0/5/130590153/9436689.pdf
    • http://moderntypeface.com/uploads/1/3/0/6/130622075/cb739d7dc4ceb.pdf
    • http://teatiendoapp.com/uploads/1/3/0/7/130776474/7407c83e8be.pdf
    • http://txpublicschoolproud.com/uploads/1/3/0/4/130489019/jafujopafofubuwoxe.pdf
    • http://mianduimianshipinqipaiyouxi.br3h.com/uploads/1/3/0/2/130288383/130288383.html#perbedaan+financial+accounting+dan+managerial+accounting

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039f3.bin
2b23900250ec5a5d69570665e691301169e26e9c4d653cbd4e99d4970a91fda4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39F3 8180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.