Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ed3d9ecf9792f67…

MALICIOUS

PDF

41.5 KB Authoring application: Pdftk
MD5: 8c8a407568c836b996770a8b99e33a9d SHA-1: 9b4e72bda61a50aae006822a4752263dcee0c554 SHA-256: 4ed3d9ecf9792f6721127eb37c91894ce76b9f52446a99b32536b886c4383e28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection. The document body itself is heavily obfuscated but contains references to the URLs, reinforcing the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mytechrec.com/uploads/1/3/0/4/130488935/sutikebanonut.pdf
    • http://eraji.net/uploads/1/3/0/4/130483903/dixurevixukanu.pdf
    • http://ajhollowayministries.com/uploads/1/3/0/6/130604944/titubonu_lepux_doxapevudunax_jemivotanera.pdf
    • http://trantafilphotography.com/uploads/1/3/0/6/130620470/ruzajebepilujonenus.pdf
    • http://babylonraleigh.com/uploads/1/3/0/5/130539672/4f840e66b4.pdf
    • http://vestmoglobal.com/uploads/1/3/0/4/130483912/7881294.pdf
    • http://pikespeakseniors.org/uploads/1/3/0/5/130540585/dojurenet-zovovefu.pdf
    • http://drazenbuntic.com/uploads/1/3/0/4/130435570/0cfcb0a55c1b.pdf
    • http://shields-data.com/uploads/1/3/0/6/130640218/nufefudin_pamaluriwi_fanuxakivol_jekimoturod.pdf
    • http://personaloutfits.com/uploads/1/3/0/3/130313748/rolopov.pdf
    • http://thecorporatecounselor.com/uploads/1/3/0/6/130621089/130621089.html#communicative+approach+to+language+education

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ba.bin
d29bb2ed543abf0bd11e0a7a1e48e37c628b9963373a0513ee7fdec83e06cbb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BA 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.