Malicious PDF — malware analysis report

Static analysis result for SHA-256 513d9e1de4773c80…

MALICIOUS

PDF

36.2 KB Authoring application: pstoedit
MD5: 55c3fa09a606f82443aa5dd3fe4a2a36 SHA-1: a2fb1a44f57e7bc4da8425220ffa668bcfb3df91 SHA-256: 513d9e1de4773c804eecffc1f8bdc7a0016cddad759f10c4556cd31b8f4a40fa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. The document body contains text related to converting word files to PDF and includes many of these external links, suggesting a lure to click through these links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://acutabovelawncare.org/uploads/1/3/0/6/130604902/3153049.pdf
    • http://andersonlaw.nyc/uploads/1/3/0/6/130604255/weboxofupej-xiritibopexiw-xepux.pdf
    • http://trevornewtonartist.com/uploads/1/3/0/7/130776460/93e156.pdf
    • http://sokaproject.com/uploads/1/3/0/4/130483703/9642548.pdf
    • http://ilovestan.info/uploads/1/3/0/7/130739553/1942811.pdf
    • http://bhpromove.com/uploads/1/3/0/3/130323178/bb313.pdf
    • http://archivetradingcompany.com/uploads/1/3/0/5/130589345/detiwifedi.pdf
    • http://crystalcatdesigns.com/uploads/1/3/0/2/130271226/973205.pdf
    • http://gilbertsonexpertwitness.com/uploads/1/3/0/6/130621383/juzexexinenuziv-fixegowewimu-ripegufixediw.pdf
    • http://arbucklelakehomes.com/uploads/1/3/0/6/130620217/2970570.pdf
    • http://www.herbasalus.store/uploads/1/3/0/9/130969016/gubep-keviruniwodinun-nopevawutojar-zamezorazen.pdf
    • http://dorota.blog/uploads/1/3/0/3/130379158/2eec4fa.pdf
    • http://mx.hollymoxley.com/uploads/1/3/0/4/130479312/1565816.pdf
    • http://mx.riversideministries.com/uploads/1/3/0/6/130604388/130604388.html#convert+word+file+to+pdf+free+software+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000341a.bin
f98b671b480129621cee3b094a413f24742dbf7115a95a8db6e9dcff2fb50e35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x341A 7992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.