Malicious PDF — malware analysis report

Static analysis result for SHA-256 4eff0876ee04e51c…

MALICIOUS

PDF

40.2 KB Authoring application: Mobipocket Creator
MD5: 91c658a58fed354c2a1a0888d34946ea SHA-1: c56a94bdb8ff02911c2e4d911ad03633be22f6e3 SHA-256: 4eff0876ee04e51c388a1ce166ca92b2fba41aa561e4e5dfed0aff73334f0aae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests the file is designed to redirect users to other potentially malicious content or to manipulate search engine rankings. The ClamAV detection further confirms its malicious nature. No scripts were extracted from this sample, limiting the analysis of specific execution behaviors.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7881274-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7881274-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://riddlefamilyranchgrassfedbeef.com/uploads/1/3/0/6/130605217/72e97.pdf
    • http://datasave-app.com/uploads/1/3/0/6/130604771/dagupetofuja_tefalaxut_pugugubilo.pdf
    • http://citizen-agency.com/uploads/1/3/0/2/130289540/kizerofe.pdf
    • http://connectatc.org/uploads/1/3/0/5/130590682/fefavidibidofixe.pdf
    • https://derasonosewi.weebly.com/uploads/1/3/0/5/130539267/3260061.pdf
    • http://shopsexxyness.com/uploads/1/3/0/6/130620282/wopuwetebiba_tezuzojuler.pdf
    • http://theclearingfarm.com/uploads/1/3/0/6/130639325/vetixinasejalo.pdf
    • http://gospelsupply.org/uploads/1/3/0/6/130621789/rumegilil_kowarilavas_wubuk_nekiba.pdf
    • http://hamcox-ray.com/uploads/1/3/0/6/130605204/suselagut.pdf
    • http://dianataylortarot.com/uploads/1/3/0/5/130543537/polaj.pdf
    • http://metalslitter.com/uploads/1/3/0/3/130324357/jekijafo-vulilogonenobo.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/7/130738578/130738578.html#cardiac+tamponade+cause

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001294.bin
ebedeaa0846b898fe8bbae8c14185f7afba7ad25e0d864738a0e9d88f3402202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1294 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.