Malicious PDF — malware analysis report

Static analysis result for SHA-256 561eb74faf3a328d…

MALICIOUS

PDF

66.7 KB Authoring application: PDF Studio
MD5: 3f988f9542928ce82b5fc5c43f95f36a SHA-1: 8f490cb29b67374d0620fafa0b2595c594fd0fb9 SHA-256: 561eb74faf3a328dc0d22bdaf183d3e7998d983b9989ab366550ff65362b5313
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, which is a strong indicator of malicious intent, likely for SEO manipulation or phishing. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample, and the document body was unreadable, so the rationale is based solely on the link farm and ClamAV detection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mgrouptyres.com.au/uploads/1/3/0/2/130287553/86ca1cae.pdf
    • http://proneurolight.co.uk/uploads/1/3/0/8/130814591/13510.pdf
    • http://mylaraonline.com/uploads/1/3/0/6/130604405/c46e692.pdf
    • http://sierrafoothillhomes.net/uploads/1/3/0/3/130323116/degizokex.pdf
    • http://avlcbdrx.com/uploads/1/3/0/4/130490218/1f8b7123a8b6a5.pdf
    • http://www.kickboxfit.net/uploads/1/3/0/3/130323167/9135695.pdf
    • http://equinemassagebysue.com/uploads/1/3/0/6/130604045/6f4b45ff8fbfa6.pdf
    • http://studyabroaddominicanrepoublicspanish101wvu.com/uploads/1/3/0/5/130588232/3283773.pdf
    • http://webdisk.tractionfitnessrepairs.com/uploads/1/3/0/2/130289322/04e6fe5352f.pdf
    • http://supplychainoptimization.de/uploads/1/3/0/4/130435702/ganadigula-fifepo-zukomozejonowu-takurugujigexo.pdf
    • http://makohomeconstructuion.com/uploads/1/3/0/6/130639406/3400887.pdf
    • http://www.havering-atte-bower-cc.co.uk/uploads/1/3/0/4/130478163/f1dd24d4.pdf
    • http://everywitchway.org/uploads/1/3/0/7/130776307/tumuwogebupu.pdf
    • http://www.janethread.com/uploads/1/3/0/5/130550775/degawus.pdf
    • http://www.canadianholisticcenter.com/uploads/1/3/0/6/130639510/xuzewutum-pajagolulabe-genifigazilo.pdf
    • http://hostmaster.neshealthpartners.com/uploads/1/3/0/6/130621125/zanilus.pdf
    • http://srcwwtp.com/uploads/1/3/0/3/130312965/numesukunozipir.pdf
    • http://andrewcbachman.com/uploads/1/3/0/8/130873998/pupomadoke_tipur_vipokotelokowi_nugedevomasu.pdf
    • http://deborahsnider.com/uploads/1/3/0/7/130738537/130738537.html#%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF+%D9%86%D8%B1%D9%85+%D8%A7%D9%81%D8%B2%D8%A7%D8%B1+%DA%A9%D8%AA%D8%A7%D8%A8+%D9%85%D8%B9%D9%84%D9%85+american+english+file+2+2nd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000953e.bin
b13ab2fbed0c5e39566b2cfd3d120a3c22dab70258ba36a4e26cbff2e64d70e2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x953E 29532 bytes
font_00_sfnt_off000079c2.bin
d558d74753b87bc6bae4b0edca3a45ec00f78cbcf8bc1fb4f4c2fb5b0ae8d1ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79C2 6648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.