Malicious PDF — malware analysis report

Static analysis result for SHA-256 54e3e9f4eb318c6d…

MALICIOUS

PDF

38.3 KB Authoring application: Inkscape
MD5: 79d500370223f1a1c30ff0347760dad0 SHA-1: b2ce7c653f20bf2648d74a3d556b66037d6d656e SHA-256: 54e3e9f4eb318c6d7cb2b752083fdb4cf5fc4b3a18337dca21b06764eaa38e85
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation campaign. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample, and the document body content is heavily corrupted, preventing a deeper analysis of the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artworkrunner.com/uploads/1/3/0/6/130621588/b996d19822.pdf
    • http://cpanel.entertain.hk/uploads/1/3/0/5/130589270/fd63add.pdf
    • http://dragonflyhairco.com/uploads/1/3/0/5/130590273/kowewe.pdf
    • http://opynestrategies.org/uploads/1/3/0/4/130435895/wirel_xonomowalen_retejudo_logug.pdf
    • http://amdberlin.com/uploads/1/3/0/7/130776409/tiluvetutupi.pdf
    • http://moniquesdreamsounds.com/uploads/1/3/0/5/130589156/bufuderevopa-tokejezozipi-dajipujovag-fulebegisuri.pdf
    • http://msdixonart.com/uploads/1/3/0/6/130639877/8118488.pdf
    • http://fieldassetview.net/uploads/1/3/0/5/130588304/bf06afc6cf31ed1.pdf
    • http://indiecomicshub.com/uploads/1/3/0/5/130589090/1668265.pdf
    • http://darcmantona.com/uploads/1/3/0/4/130476298/jumewofis.pdf
    • http://gatheringsocialhall.com/uploads/1/3/0/9/130969229/9d4ef1c9c4d5bf.pdf
    • http://gussbusn.com/uploads/1/3/0/7/130739288/5dd51b12895b.pdf
    • http://privateequityaccountingjobs.com/uploads/1/3/0/2/130270997/filuguvop_vijibugema.pdf
    • http://sayvoz.com/uploads/1/3/0/5/130589085/c7b659f65103c34.pdf
    • http://shabazztribe.com/uploads/1/3/0/4/130483703/9550661.pdf
    • http://acceleratecleaning.com/uploads/1/3/0/6/130603874/74725c65562c19.pdf
    • http://alexander-studio.net/uploads/1/3/0/2/130272932/warexot.pdf
    • http://scientificdirections.com/uploads/1/3/0/2/130270900/8291904.pdf
    • http://glslang.org/uploads/1/3/0/2/130287997/6fa2ce34.pdf
    • http://alcojuice.com/uploads/1/3/0/4/130488810/7632981.pdf
    • http://witteconstruction.com/uploads/1/3/0/4/130436020/2128546.pdf
    • http://www.georgeannascloset.com/uploads/1/3/0/8/130814774/gimurox-jukozufulume.pdf
    • http://tiddlywikitips.com/uploads/1/3/0/8/130813364/1436024.pdf
    • http://encore00028.voyagerwebsites.com/uploads/1/3/0/7/130739885/130739885.html#steelseries+arctis+pro+wireless+equalizer+settings+cs+go
    • http://acceleratecleaning.com/uploads/1/3/0/6/130603874/74725c655

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032ed.bin
d05caa191ffab14ded08711d7fa3c8b30c2e0a071b4b6897c26ca60adefdc0d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32ED 8068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.