Malicious PDF — malware analysis report

Static analysis result for SHA-256 5574af7d47d04958…

MALICIOUS

PDF

31.9 KB Authoring application: Mobipocket Creator
MD5: 8bea3d4fb030febf78c47930424f4139 SHA-1: 605caf382dbeea40fc18bbeabad1c259a4f3d8da SHA-256: 5574af7d47d04958fdbcb057be193280c64a949edc55d2f6166cf5c068bddc9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique commonly used for SEO poisoning or phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body, though heavily obfuscated, contains references to 'Geospring hot water heater error codes' which may be used as a lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shengen.info/uploads/2020/01/29/206e51ba1a.pdf
    • http://vintagefairedecor.com/uploads/1/3/0/4/130489055/sexiwejubikirevidilu.pdf
    • http://moonlight.gffgrow.org/uploads/1/3/0/2/130289397/1321731.pdf
    • http://bigbonedfitness.com/uploads/1/3/0/5/130544413/lolizerode.pdf
    • http://crystalrenes.com/uploads/1/3/0/5/130589125/9bc92b2.pdf
    • http://buysellbell.com/uploads/1/3/0/6/130604940/xukerutiwolusokedi.pdf
    • http://juliejesternewman.com/uploads/1/3/0/6/130621116/130621116.html#geospring+hot+water+heater+error+codes
    • http://juliejesternewman.com/uploads/1/3/0/6/130621116/130621116.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001091.bin
51c652ccfd492578cee1da1fa312e628e329d3487e37b8be570275d101052ebd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1091 7556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.