Malicious PDF — malware analysis report

Static analysis result for SHA-256 57fbe41958473cfe…

MALICIOUS

PDF

71.1 KB Authoring application: Adobe PDF Library 9.0
MD5: 47ec7ff71d5f8282c68450fb27777ac1 SHA-1: 6c4e8b67c593b63d5e1bd4ae4af45ce1a3f7faf0 SHA-256: 57fbe41958473cfe5ce6255885e268d081a7110f00c76eee9d4d17e5b73bf0be
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. These URLs point to other PDF files hosted on various domains, suggesting a link farm or a distribution mechanism for malicious content. The ClamAV detection as Pdf.Dropper.Agent-7715745-0 further confirms its malicious nature. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7715745-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7715745-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://teamworkprofile.com/uploads/1/3/0/5/130543848/muzogeda.pdf
    • http://mrrick.net/uploads/1/3/0/8/130813372/1765030.pdf
    • http://fantasy67.goteamonline.com/uploads/1/3/0/4/130483539/7643297.pdf
    • http://lizdemigreen.com/uploads/1/3/0/4/130488067/juzitevotuviwutuvu.pdf
    • http://rvavirtualtours.com/uploads/1/3/0/5/130539438/2293338.pdf
    • http://listislanddesign.com/uploads/1/3/0/2/130289441/9d00a.pdf
    • http://cordiaaladvies.nl/uploads/1/3/0/7/130775927/lodelibovotasije.pdf
    • http://aialumassage.com/uploads/1/3/0/6/130639107/petalafevites.pdf
    • http://www.evidentone.com/uploads/1/3/0/6/130605283/44ba290.pdf
    • http://beatrizgonzalezmusic.com/uploads/1/3/0/6/130604283/sabex-nimemesufafij.pdf
    • http://atoz2019.ca/uploads/1/3/0/7/130739343/zidij.pdf
    • http://jkruegerimages.com/uploads/1/3/0/5/130588220/zaxexak_kilogaxutexufor_xavonon_nufaze.pdf
    • http://kuniusedcars.com/uploads/1/3/0/6/130639629/punaxexusikiri_lazeseked_xokiwutodeka_benikamemetu.pdf
    • http://teammonstersinthemaking.com/uploads/1/3/0/6/130620468/24bca.pdf
    • http://phoenixukcontracts.co.uk/uploads/1/3/0/6/130604090/9872541.pdf
    • http://sachikonakamura.org/uploads/1/3/0/2/130271015/1feb947c7937.pdf
    • http://zrvcgh.bdgct.com/uploads/1/3/0/5/130543874/130543874.html#australia+iata+international+airport+code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036a0.bin
d48f8a6e04f4a6c20e06480c186b8b9037ce646861d0049ce834d6611b6761bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36A0 11700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.