Malicious PDF — malware analysis report

Static analysis result for SHA-256 5805b497ee247419…

MALICIOUS

PDF

51.0 KB Authoring application: Soda PDF
MD5: 7ca356ecf85d50e7a4ef5c296f7c7ebd SHA-1: 2376cd3aa9a0a5bd2f235ecc89764420e8517301 SHA-256: 5805b497ee247419be3c894bad6e0bb45c61a0c0fae08e60e405874314dd7549
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, with the primary host being 'thehappygirlstore.com'. This behavior is indicative of a link farm used for SEO poisoning or phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection motive. The document body, though partially obfuscated, mentions 'Binomial tree excel template' as a lure, directing users to the identified malicious URL.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thehappygirlstore.com/uploads/1/3/0/6/130639800/f03415c29088.pdf
    • https://kopepimabopof.weebly.com/uploads/1/3/0/4/130435574/6219345.pdf
    • http://sitgmo.org/uploads/1/3/0/4/130436367/ad4115e7.pdf
    • http://adventshorts.com/uploads/1/3/0/6/130621857/golofetafokomop.pdf
    • http://speakeroflife.com/uploads/1/3/0/4/130478067/3736103.pdf
    • http://freerunbasics.com/uploads/1/3/0/5/130539846/1f390.pdf
    • http://9f60dnj005.com/uploads/1/3/0/4/130488179/lebemokidi_zawebuxujez.pdf
    • http://actorheadshotphoto.com/uploads/1/3/0/5/130588712/9983859.pdf
    • http://verticesglobals.com/uploads/1/3/0/7/130740189/1275575.pdf
    • http://pianomethod.info/uploads/1/3/0/4/130435561/2423025.pdf
    • http://cbconservation.com/uploads/1/3/0/6/130605490/4bf79fccf2e.pdf
    • http://nprycetest.com/uploads/1/3/0/7/130776616/130776616.html#binomial+tree+excel+template

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001541.bin
4ba232a37ef39207578428a30449f44314d4650e8da04430b0c17200021601d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1541 9296 bytes
font_01_sfnt_off00008c58.bin
97a3418bd433653dafe652ac0a0841cf2f323fe672bd45d4cf3362d7102ed122		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C58 2796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.