Malicious PDF — malware analysis report

Static analysis result for SHA-256 56d8a344f150ff5f…

MALICIOUS

PDF

47.1 KB Authoring application: Scribus
MD5: 6aada6030436f961ee87fe02170bdb17 SHA-1: 518bf327fd61dd4c29ef183f7f4a9ac7bf1be1ed SHA-256: 56d8a344f150ff5f41267592aa556e9f94e2dc05b7aea24760a193029afd81b2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, indicating a link farm likely used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection scheme. No scripts were extracted, but the heuristic 'PDF_SEO_LINK_FARM' and the numerous unknown-reputation URLs point to a malicious distribution or redirection campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newsellco.com/uploads/1/3/0/7/130738716/990627.pdf
    • http://artm.solutions/uploads/1/3/0/4/130488834/sanuwiwitu_zajiti.pdf
    • http://reliancemartialarts.com/uploads/1/3/0/6/130639635/nojupopi.pdf
    • http://suxijosu.audiostart29.icu/uploads/2020/01/29/wowal.pdf
    • http://greenearthteen.com/uploads/1/3/0/4/130488328/9991004.pdf
    • http://bitcoinserv.co.uk/uploads/1/3/0/5/130551718/3090933.pdf
    • http://novul.7artllc.com/uploads/2020/01/29/fuxipux.pdf
    • http://ps110k.com/uploads/1/3/0/5/130539981/b304356c800f0a9.pdf
    • http://davediamond.info/uploads/1/3/0/6/130621116/kadigi.pdf
    • http://doublecfarms.net/uploads/1/3/0/2/130270738/gepifuto_xuvamegimeju.pdf
    • http://wecanimpressyou.com/uploads/1/3/0/4/130435833/d7fad33ca.pdf
    • http://miriraisithole.com/uploads/1/3/0/5/130551235/43562ed644d.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/3/130323172/130323172.html#frasi+su+anticonformismo

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001342.bin
d05fbdcee082ba1a45b21ce463559dc4e80ee7d934925b61c1f8e7894fad711c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1342 9572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.