Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e539c9e15f613e6…

MALICIOUS

PDF

35.4 KB Authoring application: Nitro PDF
MD5: 5ad42929a1a3f045ca5fb86eed87c0ea SHA-1: a4b1261f2b27d29466a0412ef97f9229aa22d79a SHA-256: 4e539c9e15f613e6733130d83d3d8b982fa9b94b190d6b2a10524f9b0c388a60
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The embedded URLs are likely used to redirect the user to malicious content or phishing pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://location-valence-espagne.com/uploads/1/3/0/5/130543663/6068741.pdf
    • http://slidemountaincabins.com/uploads/1/3/0/7/130775965/xulawe-wovodituvurowi.pdf
    • http://jingleexpert.com/uploads/1/3/0/7/130740148/rifevedafafegit-vakokevab-sojopokipila-vuwitudamukoz.pdf
    • http://zimpresos.com/uploads/1/3/0/4/130436188/3693810.pdf
    • http://123klart.se/uploads/1/3/0/6/130640070/tuxoronepi.pdf
    • http://paintgator.com/uploads/1/3/0/7/130776409/1a7e5e.pdf
    • http://mymathnuts.com/uploads/1/3/0/7/130738847/dd7e521e2.pdf
    • http://miller-ssg.com/uploads/1/3/0/4/130476413/fedejubok_rugobetofubog.pdf
    • http://misfitsagony.com/uploads/1/3/0/7/130775137/nunivazumaxif.pdf
    • http://merwininsurance.net/uploads/1/3/0/3/130379611/ac8bbe8830.pdf
    • http://daisykim.com/uploads/1/3/0/4/130483862/vulenoluku.pdf
    • http://parkscore.net/uploads/1/3/0/7/130775267/guvob.pdf
    • http://heartstrings.shop/uploads/1/3/0/5/130588157/2185d8f.pdf
    • http://infosoldier.com/uploads/1/3/0/7/130740376/1456304.pdf
    • http://ndhomesinc.com/uploads/1/3/0/7/130776215/sijilidon.pdf
    • http://globalidnews.com/uploads/1/3/0/7/130739732/nizikusirabe.pdf
    • http://flightsandstars.xsideas.com/uploads/1/3/0/8/130814967/130814967.html#the+4th+industrial+revolution+in+south+africa+2019

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003049.bin
c67da82461aae929a30176293b716ec17cae8b0dd98cb7ce8283da2fd49bc4b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3049 7420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.