Malicious PDF — malware analysis report

Static analysis result for SHA-256 510d51f3b57e5e0b…

MALICIOUS

PDF

40.2 KB Authoring application: Smallpdf Desktop
MD5: 701fbe77bbe1e0f8f8897e54b1bb2e1b SHA-1: 2e0a7ea19cf258d491b2fda57a9821de2446994a SHA-256: 510d51f3b57e5e0b928b29fad74ea1721c88fd1a324250abb62c993903d3cd72
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, a common technique for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing intent. The embedded document body text, while partially corrupted, contains phrases like 'Hungry hungry hippos walmart canada' which appear to be lures to entice clicks on the numerous external URLs found within the document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prismrva.com/uploads/1/3/0/6/130639884/d3729.pdf
    • http://orbitjs.net/uploads/1/3/0/5/130546209/zulusi.pdf
    • http://lacollectiva.org/uploads/1/3/0/6/130621457/a5ecc567b0a.pdf
    • http://thenanastudios.com/uploads/1/3/0/2/130270901/0b7101710.pdf
    • http://cahoje.com/uploads/1/3/0/3/130313340/3534490.pdf
    • http://millercounselingserv.com/uploads/1/3/0/6/130604401/2929856.pdf
    • http://friendshipcourtapartments.com/uploads/1/3/0/8/130813428/c3f2f5ad67a.pdf
    • http://www.secretstudio.tw/uploads/1/3/0/7/130740190/6732414.pdf
    • http://257bennettstreet.com/uploads/1/3/0/5/130544089/tujisisexinifufik.pdf
    • http://1cafedumarche.ch/uploads/1/3/0/6/130639437/943558.pdf
    • http://bet365touzhu.br3h.com/uploads/1/3/0/9/130969274/130969274.html#hungry+hungry+hippos+walmart+canada

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003881.bin
87fd6b1a35a64f5c2d30902eea89631a9c05d6b36ef70c6d0cee4d2ad867525e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3881 2596 bytes
font_01_sfnt_off00004447.bin
0a61e65d84aa1519f1bab6e6867deec09a1e57779f7e6b0651bfbfa496aad1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4447 9028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.