Malicious PDF — malware analysis report

Static analysis result for SHA-256 561e45ffbf18e8bf…

MALICIOUS

PDF

42.2 KB Authoring application: Adobe PDF Library 9.0
MD5: 55b8f66acd278f8772824e0aec620d34 SHA-1: 4477b95bce124073f13696003f1fea16da7e426f SHA-256: 561e45ffbf18e8bf6efd859ecf6dfee134f3ec7188b57502d58201fad6c697ff
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a link farm, with the dominant host being ledi.graphicgeekworld.online. This, combined with the ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0', strongly suggests a phishing or scam campaign. The presence of a visual download button further supports the lure. No scripts were extracted from this sample, but the structure and heuristics point to a malicious intent to redirect users to potentially harmful content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ledi.graphicgeekworld.online/uploads/2020/01/27/1369918d.pdf
    • http://plastyir.ru/uploads/2020/01/28/7583836.pdf
    • http://tisenuwova.audiostart42.icu/uploads/2020/01/27/9c8feb42e79efc6.pdf
    • http://factor-neuro.com/uploads/2020/01/27/5506594.pdf
    • http://kkylosov.ru/uploads/2020/01/27/4263939.pdf
    • http://pot.dog-express.ru/uploads/2020/01/29/mejuwitokidola.pdf
    • http://livainrulit.ru/uploads/2020/01/27/ragobem.pdf
    • http://kapital-ltd.ru/uploads/2020/01/27/firarivuju-dagaramimeti-kakum-rusupenu.pdf
    • http://daradee.com/uploads/1/3/0/6/130603763/8842256.pdf
    • http://fiw.lcmevents.com/uploads/2020/01/27/6143474.pdf
    • http://vanapidafa.0706shpps03.fun/uploads/2020/01/28/junivixavoxik_musuje_welabu_zugetu.pdf
    • https://tegalelo.weebly.com/uploads/1/3/0/3/130323914/e706134cc.pdf
    • http://thekashempire.com/uploads/1/3/0/4/130489097/pitemadowi.pdf
    • http://thehappygirlstore.com/uploads/1/3/0/5/130551434/130551434.html#acca+financial+reporting+notes+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001384.bin
1864e7feaf4ff8eb3d22b0ae5c572f607daed76f3ca40eca691f540446b621b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1384 8432 bytes
font_01_sfnt_off00005e48.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E48 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.