Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a1a345637fbb9a6…

MALICIOUS

PDF

44.2 KB Authoring application: Pdftk
MD5: 43c75c8cc435e4c6838e12f2bca858b4 SHA-1: 5458ae8612660f6c4890842084717bc453f5b172 SHA-256: 5a1a345637fbb9a62e73f197272887e3c016e710a756cb84c9dee3260f72e444
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links pointing to external PDF files, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body, though heavily obfuscated, appears to be related to obstetric anesthesia textbooks, which is likely a lure to disguise the malicious nature of the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://greentreedelivery.co.uk/uploads/1/3/0/6/130621544/dubeteromawagexezak.pdf
    • http://jq-photography.com/uploads/1/3/0/6/130621075/2692882.pdf
    • http://scumofus.org/uploads/1/3/0/2/130287989/zirepabixi_tefosunanonibog.pdf
    • http://alphachiomegaofoaklandcounty.org/uploads/1/3/0/7/130776750/4145563.pdf
    • http://elaineytang.com/uploads/1/3/0/6/130620949/xitowotolanopid_setasuxuwigo_demixofosi_tilum.pdf
    • http://vatprocessingoffice.com/uploads/1/3/0/6/130604731/wokovan_pefapiba_bazapunigerebo_juwaj.pdf
    • http://monstacartoons.com/uploads/1/3/0/7/130740368/c76e044eec0ad9.pdf
    • http://thehumancult.com/uploads/1/3/0/6/130603985/70cb3a45f2.pdf
    • http://4us2wire.com/uploads/1/3/0/6/130620822/binalenabojo.pdf
    • http://mkontor.de/uploads/1/3/0/9/130969222/4922742.pdf
    • http://persistress.org/uploads/1/3/0/4/130476271/a0669.pdf
    • http://thesevenpotters.com/uploads/1/3/0/5/130590282/zixemesulerifed_dekufutozivot_ronesukalulifuf.pdf
    • http://jcitaipei.org/uploads/1/3/0/4/130436299/130436299.html#obstetric+anesthesia+textbooks

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051fd.bin
cf76050ba2fc4b278d737923ce2d2a045e31f1f6e6a7696646fd974591815743		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51FD 9100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.