Malicious PDF — malware analysis report

Static analysis result for SHA-256 56cfc8fd016900bb…

MALICIOUS

PDF

35.3 KB Authoring application: GIMP
MD5: 57ae3caff60cad460120c12b9bdc7288 SHA-1: 6589ebb026f11efb4147e672e9ce3e41aed05c86 SHA-256: 56cfc8fd016900bbb10f064ec088406f5421403efcb842ca7df12850a8e81ab1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, indicating a link farm or distribution mechanism. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic redirection intent. The embedded URLs are the primary IOCs, suggesting the document's purpose is to redirect users to potentially malicious content hosted on these domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://badkittymojo.com/uploads/1/3/0/7/130740483/migiwexawi.pdf
    • http://middletonandnewbigginparishcouncil.org/uploads/1/3/0/6/130621905/0d5ab2b4453c.pdf
    • http://racheldemeritt.com/uploads/1/3/0/6/130621502/livufojob.pdf
    • http://www.fpmsgroup.com/uploads/1/3/0/4/130489742/78179.pdf
    • http://callingallsouls.net/uploads/1/3/0/6/130604653/zojulif.pdf
    • http://quakerspeak.org/uploads/1/3/0/3/130323894/megetigudeg_rawukosez_jujojuliw_sejuxetewuk.pdf
    • http://3riverpartners.com/uploads/1/3/0/5/130588403/bf157e.pdf
    • http://bfcxpress.com/uploads/1/3/0/3/130323417/f11c7f4dec8c9ab.pdf
    • http://ccmun.ca/uploads/1/3/0/7/130740205/8489170.pdf
    • http://simonichfinancial.com/uploads/1/3/0/7/130738684/6024807c167a225.pdf
    • http://niagaranaturalfertility.ca/uploads/1/3/0/7/130740514/bd8c6b7512e1.pdf
    • http://conservedslabs.com/uploads/1/3/0/2/130288559/vikajidudefuse.pdf
    • http://orthogistic.com/uploads/1/3/0/2/130288602/baf039c.pdf
    • http://katherinesiu.com/uploads/1/3/0/6/130620909/73e3b57059e85f.pdf
    • http://inshopper.site/uploads/1/3/0/2/130289163/tefagefulemijak-lupijalaziziwet.pdf
    • http://www.bridge33.net/uploads/1/3/0/7/130776147/tifixilukoron.pdf
    • http://74-123-75-90.mgwnet.com/uploads/1/3/0/6/130621521/130621521.html#ppt+on+spermatogenesis+and+oogenesis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002eca.bin
911d05aca491d03c5a0ee2eb66d1e57ef88a8128117136ac469bcefcbe77190f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ECA 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.