Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d0edcc1db27650c…

MALICIOUS

PDF

36.2 KB Authoring application: SWFTools
MD5: de1aa71a434885492596c56a9c4ab1d9 SHA-1: 82fa79a1343b806c29f7b4485216f48cb992c5d7 SHA-256: 7d0edcc1db27650ce03f11a55da02438591fcdc272e36850c8c2f3efed447db3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the SE_LOLBIN_RUN_COMMAND heuristic suggest malicious intent, likely related to phishing or distributing further malware. The primary attack pattern involves directing users to a vast array of linked PDF documents hosted on numerous domains.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://3bqdiamondkidz.com/uploads/1/3/0/6/130620482/tizux_lorifijifom_tabefasawajo_lotosusef.pdf
    • http://aux3ponts.com/uploads/1/3/0/3/130323633/7b8d7a3719.pdf
    • http://shaglife.com/uploads/1/3/0/6/130639616/ff60b79.pdf
    • http://melangeemporium.com/uploads/1/3/0/5/130543985/fc2e0491a03f4.pdf
    • http://innsbrookcitycenter.net/uploads/1/3/0/6/130603673/xemafu-rujaxu-bosenu-wumopales.pdf
    • http://mta-sts.mail.yourchoicepettransport.com/uploads/1/3/0/6/130604209/5636575.pdf
    • http://www.cosmetictattoostudio.com/uploads/1/3/0/2/130287302/givorimirezigukube.pdf
    • http://paintinghopefoundation.com/uploads/1/3/0/7/130776516/ruvizomep.pdf
    • http://michelehrose.com/uploads/1/3/0/6/130620788/0765eb.pdf
    • http://officialgoodboys.club/uploads/1/3/0/4/130488345/2310190.pdf
    • http://www.woodwerx.net/uploads/1/3/0/6/130604166/2557952.pdf
    • http://hostmaster.vanessadrew.com/uploads/1/3/0/7/130740502/5249999.pdf
    • http://bobselectric.co.uk/uploads/1/3/0/6/130604152/38d082488.pdf
    • http://hostmaster.cockapoorescuegb.org/uploads/1/3/0/5/130551775/9090601.pdf
    • http://railandrivermarket.com/uploads/1/3/0/7/130738913/2832284.pdf
    • http://jinwonhanglass.com/uploads/1/3/0/5/130588714/2830752.pdf
    • http://britanynavarretephotography.com/uploads/1/3/0/7/130775683/8dfc7c03.pdf
    • http://fallasleepblog.com/uploads/1/3/0/7/130776269/fepave_melawasawuge_zunoxadixoram_vefewavol.pdf
    • http://picacookie.com/uploads/1/3/0/6/130621060/3240576.pdf
    • http://host175.carmichaelnl.com/uploads/1/3/0/3/130323811/130323811.html#online+reading+comprehension+games+for+3rd+grade
    • http://mta-sts.mail.yourchoicepettransport.com/uploads/1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e8a.bin
7dab268f20c710d83dce0dc5e15d3d48b5334824aff5beca4819ca2817072fae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E8A 7916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.