Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cccdd9ea1fcc2e6…

MALICIOUS

PDF

44.8 KB Authoring application: Scribus
MD5: 8f047af927fbec978d3773e92036fb91 SHA-1: ff1f5743d5ae6e627010c1f30f2125a9ee799bdf SHA-256: 7cccdd9ea1fcc2e6f8e06ceeae8b845ad47056066a2448ff9679f4195f80d09e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious sites. The ClamAV heuristic also flags this as a phishing-related PDF. The document body, though heavily obfuscated, mentions 'Comptia it fundamentals fc0-u61 free practice test', suggesting a lure to trick users into visiting the linked sites, which likely host further malicious content or phishing pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lovehealthservice.net/uploads/1/3/0/7/130739493/lapogi.pdf
    • http://sdkuykendall.com/uploads/1/3/0/7/130775982/6fdbd0ca802d286.pdf
    • http://goskorealty.com/uploads/1/3/0/4/130476068/mirabujumagi.pdf
    • http://juneaudining.com/uploads/1/3/0/3/130313343/ruxitipulujepukil.pdf
    • http://www.amandatorti.com/uploads/1/3/0/5/130551935/cc5718fb45.pdf
    • http://michellegoodman.net/uploads/1/3/0/3/130313247/2747336.pdf
    • http://appea.com/uploads/1/3/0/6/130620464/rotafatorotikuvevoge.pdf
    • http://shadowbendtest6.com/uploads/1/3/0/2/130274017/84166.pdf
    • http://nomadworkgear.com/uploads/1/3/0/6/130603980/pusutusu.pdf
    • http://msvieirasclassroom.com/uploads/1/3/0/3/130313192/bijuxedim.pdf
    • http://twbmotors.com/uploads/1/3/0/5/130550898/sivavulem_tiwal_letikepez.pdf
    • http://nswoysters.com/uploads/1/3/0/2/130291596/bufov.pdf
    • http://pcbaugh.com/uploads/1/3/0/5/130542934/jegivunirux.pdf
    • http://brettedwardstout.com/uploads/1/3/0/2/130274088/vufune_dusakituvif.pdf
    • http://sanluisobispo.events/uploads/1/3/0/8/130813531/5831548.pdf
    • http://flcboutique.shop/uploads/1/3/0/5/130539660/b5eab0b6d6c3.pdf
    • http://www.kirstenliston.com/uploads/1/3/0/2/130274319/vufufimumu-serot.pdf
    • http://tappycard.io/uploads/1/3/0/7/130776449/lejefotoduton_tuvexedugomori_wujarerapexeja.pdf
    • http://mrkolani.net/uploads/1/3/0/6/130639779/turoboro.pdf
    • http://socialcooling.org/uploads/1/3/0/4/130435688/magimimano_somuzodatof.pdf
    • http://helpking.org/uploads/1/3/0/4/130483587/130483587.html#comptia+it+fundamentals+fc0-u61+free+practice+test

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003643.bin
45c39c4315a5d00962143d4102937301eb2649728d6de39b959633cfc30365c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3643 16144 bytes
font_01_sfnt_off00004e31.bin
e5db6dc47d191df12740131a7c41fae997f05982cb0261e63937e64ee6787000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E31 8560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.