Malicious PDF — malware analysis report

Static analysis result for SHA-256 532b4e2786add804…

MALICIOUS

PDF

47.2 KB Authoring application: Scribus
MD5: 8794912c846ca0667d84162d7c6852e0 SHA-1: 4758b8ec1960d32ee3fe94230dd6cebce772b305 SHA-256: 532b4e2786add804b87febcbf859c43d63c67dd175522aad7783393d41ed6806
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection further confirms its malicious nature, identifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are likely used to redirect users to malicious sites or to manipulate search engine results. The document body contains fragmented text related to roofing contractors, which appears to be a lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mshannahfreeman.com/uploads/1/3/0/4/130435637/dijafexilaluzaxetabe.pdf
    • http://a-custom-esl-tutoring.com/uploads/1/3/0/6/130639689/5994054.pdf
    • https://zuxemetedopu.weebly.com/uploads/1/3/0/2/130287407/9335207.pdf
    • http://dentalstudentportal.com/uploads/1/3/0/4/130491179/rumaton.pdf
    • http://tressesaunaturale.com/uploads/1/3/0/4/130483801/sagovalujavovo-xibaki.pdf
    • http://taranakitimebank.nz/uploads/1/3/0/5/130550882/5cdccc89afe4.pdf
    • http://angiemoll.com/uploads/1/3/0/2/130287457/jipekarivose_romepes_kisiwoxozobefi_lokewuwa.pdf
    • http://jerovilob.fitootvet.ru/uploads/2020/01/28/pawuxogokibogum_bonobofizanodo_bemaves_wanegejupika.pdf
    • http://klubok-kolobok.ru/uploads/2020/01/29/futiwokule.pdf
    • http://necdm.org/uploads/1/3/0/5/130542902/putujekonanemeseg.pdf
    • http://mystylesheets.com/uploads/1/3/0/6/130639472/583df8dfd0c77.pdf
    • http://nmpstag.com/uploads/1/3/0/5/130551206/2655071.pdf
    • http://nwcamper.com/uploads/1/3/0/5/130539442/7350157.pdf
    • http://newmarlboroughfiber.org/uploads/1/3/0/6/130604422/f45d19c3.pdf
    • http://thomasaquinasbaltimore.org/uploads/1/3/0/5/130589444/5ae551.pdf
    • http://taiguantravel.com/uploads/1/3/0/5/130590582/4330792167c2.pdf
    • http://jimu.zayavka-na-kredit.com/uploads/2020/01/28/8986005.pdf
    • http://minerhosting.at/uploads/1/3/0/5/130590008/835737.pdf
    • http://acs-kw.com/uploads/1/3/0/4/130489522/kasixusezivasagu.pdf
    • http://souldelicious.org/uploads/1/3/0/3/130313108/dudoronesexebuparu.pdf
    • http://nmisria.com/uploads/1/3/0/2/130270887/d1e81aa4288d5.pdf
    • http://kylaconner.com/uploads/1/3/0/2/130272906/130272906.html#roofing+siding+and+sheet+metal+contractors

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000169c.bin
3e9769948d383defb7c5a2a6d02c45ad38cb580d9e7f3af792c69a6cd33a756e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x169C 8888 bytes
font_01_sfnt_off00007108.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7108 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.