Malicious PDF — malware analysis report

Static analysis result for SHA-256 5619b91ef6d5884e…

MALICIOUS

PDF

34.2 KB Authoring application: Mobipocket Creator
MD5: 58799ff8d8e9829361915af0c274b0b2 SHA-1: 6b647f89d7f2169359fb94a838587315471351ff SHA-256: 5619b91ef6d5884e1737c492531a980fb7b1c76439ff80004e1281d427a11979
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external websites, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, suggests a lure related to 'Code vein gift exchange guide'. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary purpose appears to be directing users to a network of potentially malicious URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ministerioslagloriaestuyajesus.org/uploads/1/3/0/2/130270873/01e636c0dde.pdf
    • http://brouleepublicschool.com/uploads/1/3/0/5/130588716/5515138.pdf
    • http://daxa.neteller-net.xyz/uploads/2020/01/28/worupuxekaweliz.pdf
    • https://tifedekikugaj.weebly.com/uploads/1/3/0/4/130475918/gefosov_japagu_xadiwoko.pdf
    • http://dimagovuri.paradise-hotel.ru/uploads/2020/01/27/tigakozokes-kerililumufadi.pdf
    • http://gem.klopus.ru/uploads/2020/01/27/79c46e90.pdf
    • http://wasifej.bastyon.ru/uploads/2020/01/27/4d139dde1.pdf
    • http://pausejudgement.com/uploads/1/3/0/2/130289278/1936625.pdf
    • http://nicoleforcouncil.com/uploads/1/3/0/5/130588824/wulatokosa-fetuge-xodatafiboroduj.pdf
    • http://nuohotel-zh.devsite-1.com/uploads/1/3/0/2/130270869/130270869.html#code+vein+gift+exchange+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001274.bin
d715616f295843780621c559714565c3983cbf758a6bc6aa3be862a3e7567a30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1274 8048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.