Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b86673d1fb7630f…

MALICIOUS

PDF

33.7 KB Authoring application: Nitro PDF
MD5: 58905298f37476c77e4a3b0d2169dc49 SHA-1: 1d58d2a10cc10c1c4ce73c078b6baf26b62ce04f SHA-256: 7b86673d1fb7630fa2652015aac3446372a14dbe17773fb19e3e3ca5e84967a5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm designed to redirect users to potentially malicious content, as suggested by the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body, though heavily corrupted, contains fragments of URLs that align with the detected link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inmobiliariayome.com/uploads/1/3/0/6/130639107/657329.pdf
    • http://www.authorbellabryce.com/uploads/1/3/0/8/130814457/d7626012.pdf
    • http://basaltto.com/uploads/1/3/0/7/130739265/111948.pdf
    • http://mta-sts.mail.colfaxmusicltd.com/uploads/1/3/0/6/130603941/dijojibejawar.pdf
    • http://kittingergroup.com/uploads/1/3/0/6/130604344/dc45733cc996e70.pdf
    • http://oscarsterte.com/uploads/1/3/0/5/130551630/kofiworigesaw-wapit-tupunavi-kiwejakojejomir.pdf
    • http://ru4christ.net/uploads/1/3/0/6/130621303/3697045.pdf
    • http://gladcpr.com/uploads/1/3/0/5/130589180/lelosuxena-nepabewen.pdf
    • http://waxwingdjs.com/uploads/1/3/0/5/130544898/jonujer_mowenomideju.pdf
    • http://bluepearinvestments.com/uploads/1/3/0/2/130289448/rumelaxe-ralagaj-wuxegega.pdf
    • http://rosshousemuseum.ca/uploads/1/3/0/3/130379202/4933785.pdf
    • http://markeyforcongress.com/uploads/1/3/0/6/130604448/edf50f23.pdf
    • http://www.bandstreamtv.com/uploads/1/3/0/6/130639984/ffbd42c7d5da40.pdf
    • http://74-123-78-194.mgwnet.com/uploads/1/3/0/6/130640227/matuwag-lofamuvivipap.pdf
    • http://nexusfoto.com/uploads/1/3/0/7/130775694/456016.pdf
    • http://redkiteavoca.com/uploads/1/3/0/5/130588588/9866839.pdf
    • http://mgmalehair.com/uploads/1/3/0/6/130603978/24ef243bc4097f1.pdf
    • http://www.cetlgroup.org/uploads/1/3/0/8/130874097/130874097.html#mitsubishi+air+conditioner+remote+control+timer
    • http://mgmalehair.com/uploads/1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000027d6.bin
13b6664966df6fd4d60e333c99028d14a86051cbeed60e49eca28fad61870899		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27D6 7512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.