Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d765c93a2e4eb1a…

MALICIOUS

PDF

49.7 KB Authoring application: Karbon
MD5: 9566ff2f248af3101922fd3753ef92c7 SHA-1: 8c0ba33001dd003baf9a18e3365cab004836b668 SHA-256: 4d765c93a2e4eb1aab5ce40e6b4cbf05b9fe249ebaa7a224961e0c728361a087
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or redirection scheme, likely intended to lead users to malicious content or phishing pages. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-generation motive.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://foreverplay.org/uploads/1/3/0/5/130589411/kisofajeduxajuxa.pdf
    • http://www.jbestportfolio.com/uploads/1/3/0/6/130620454/gajonifurerid_pibimew.pdf
    • http://naturebringsmepancackes.com/uploads/1/3/0/7/130740492/rinimujurejovofo.pdf
    • http://mesh1nfo.com/uploads/1/3/0/6/130621004/b67c8b8b.pdf
    • http://mail.lisalanducci.com/uploads/1/3/0/2/130272640/f6dadd5445.pdf
    • http://swilliamsphotos.com/uploads/1/3/0/7/130776779/3590830.pdf
    • http://4bcenter.com/uploads/1/3/0/5/130543020/2123895.pdf
    • http://proletas.com/uploads/1/3/0/7/130739500/nogitutag.pdf
    • http://purepulse.net/uploads/1/3/0/4/130488935/4583509.pdf
    • http://upclear.org/uploads/1/3/0/5/130589037/2747413.pdf
    • http://www.the-young-contrarian.com/uploads/1/3/0/2/130288378/a246131f329c705.pdf
    • http://drreedallergydoctor.com/uploads/1/3/0/5/130540583/facb9.pdf
    • http://jbriggsmultimedia.com/uploads/1/3/0/5/130588824/kegufikojaxego_zipasuxirobu.pdf
    • http://www.mygetfitkitchen.com/uploads/1/3/0/3/130379426/wujefegavikut-fazikufijojob-bivitosino.pdf
    • http://nmation.org/uploads/1/3/0/7/130739156/4177051874.pdf
    • http://www.thehlifeonline.com/uploads/1/3/0/9/130969162/19e4d.pdf
    • http://modern-energy.co.uk/uploads/1/3/0/2/130271076/2935141.pdf
    • http://bacalandersengarrison.com/uploads/1/3/0/4/130478602/39b6c19329.pdf
    • http://www.ztvguide.com/uploads/1/3/0/6/130639949/5cb29d860e.pdf
    • http://mevsimyalitim.com/uploads/1/3/0/3/130379757/datonid.pdf
    • http://stevengoodey.adviser.live/uploads/1/3/0/6/130639517/59f66be9ec6644a.pdf
    • http://ezinvoicepro.com/uploads/1/3/0/7/130775982/e46e2fe.pdf
    • http://turneduplife.voyagerwebsites.com/uploads/1/3/0/4/130490875/130490875.html#treatment+of+acute+hypercapnic+respiratory+failure
    • http://jbriggsmultimedia.com/uploads/1/3/0/5/130588824/kegufikojaxego_zipasuxirobu.p

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048f5.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48F5 16036 bytes
font_01_sfnt_off0000603b.bin
56028ce893d1f8883395fb92a43e9dd78ce7507fe0462af069ec1537b7fd4387		 pdf-font-stream PDF embedded font (sfnt) at offset 0x603B 8288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.