Malicious PDF — malware analysis report

Static analysis result for SHA-256 51b6a5c8434fada8…

MALICIOUS

PDF

47.1 KB Authoring application: GIMP
MD5: 46b6b856c712f419bed9261e515d3824 SHA-1: 2ce978318773c2d40ac7f15e39fbfdc9736b8c50 SHA-256: 51b6a5c8434fada8f084ed5a690a9b2ba1610ab11633713e4030388466558a25
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The document body is heavily obfuscated and contains many of the same URLs, reinforcing the attack pattern.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vepaxaf.sendfrs.com/uploads/2020/01/28/6547152.pdf
    • http://speakingthestraighttruth.com/uploads/1/3/0/3/130313405/zuzazagajadu-pozukex-redokiwuz.pdf
    • http://foboxa.gamesplusadventure.ru/uploads/2020/01/28/kunaporupirutita.pdf
    • http://mecatta.com/uploads/1/3/0/6/130621603/piwijezo-tatajoj-wifuralalopit-fegaj.pdf
    • http://holistichealingsd.com/uploads/1/3/0/6/130620428/5042813.pdf
    • http://jarosewex.storeshop.xyz/uploads/2020/01/28/7547887.pdf
    • http://royaltrainridesrentals.com/uploads/1/3/0/6/130620474/zuzok.pdf
    • http://seedlingsystems.co/uploads/1/3/0/6/130604757/4497336.pdf
    • http://urologya.expert/uploads/2020/01/28/8845217.pdf
    • http://suvofozato.gatsbydoubler.icu/uploads/2020/01/29/92eaa91949f5a3b.pdf
    • http://nab.cityglush13.icu/uploads/2020/01/28/1407757.pdf
    • https://bedegobibise.weebly.com/uploads/1/3/0/4/130483390/bekerekaf.pdf
    • http://sig.intropack.ru/uploads/2020/01/27/de1d1e6d70ae.pdf
    • http://star-nrg.com/uploads/1/3/0/5/130551073/2714285.pdf
    • http://clarksurveyor.com/uploads/1/3/0/6/130603851/599e3ed02a330c4.pdf
    • http://texegul.archisidek.com/uploads/2020/01/28/ec4aaa23470.pdf
    • http://cfthomas.com/uploads/1/3/0/6/130639038/130639038.html#dead+zone+zombie+crisis

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001633.bin
30eba54042e16aa620534c6246a6853085830dc284cdf06e254d6b48cf127508		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1633 9328 bytes
font_01_sfnt_off00006bf8.bin
3f66fde3d598d448d441281ee2991d3adcdfb6038811367f9bbe67bf786d317c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BF8 19592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.