Malicious PDF — malware analysis report

Static analysis result for SHA-256 80e5ca5368737294…

MALICIOUS

PDF

38.7 KB Authoring application: QPDF
MD5: 42bd8b6317a2e616d786e10fa43ee9fa SHA-1: 91e1956e178ffa3d8c2973ce94eb350a49f4046f SHA-256: 80e5ca53687372945fb7216360bedacce8377a6f3d9a2eed2a554c8e88b85717
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body itself appears to be a cover letter template, which is likely a lure to disguise the malicious intent of linking to numerous external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mindfulmerchandise.org/uploads/1/3/0/3/130324440/renojavesip.pdf
    • http://acs-kw.com/uploads/1/3/0/7/130776436/051cd266322ccec.pdf
    • http://estate-protection.co.uk/uploads/1/3/0/4/130435701/surexifozujova.pdf
    • http://www.shopauthenticshoes.com/uploads/1/3/0/9/130969800/1488676.pdf
    • http://cpanel.wyliesday.org/uploads/1/3/0/8/130814143/dotegotefosafu.pdf
    • http://nataliemangalindandesign.com/uploads/1/3/0/6/130620528/69304ddce0.pdf
    • http://mojovideo.net/uploads/1/3/0/4/130435925/43f6059057db.pdf
    • http://www.audax-iscte.com/uploads/1/3/0/2/130272403/gekojegutu.pdf
    • http://msmaco.com/uploads/1/3/0/7/130739021/pesirodijexapupalo.pdf
    • http://keeganwhitedesigns.club/uploads/1/3/0/4/130483909/kibotobi_dizubama.pdf
    • http://www.yaelsusanrayman.com/uploads/1/3/0/6/130640047/5240284.pdf
    • http://labeach.com/uploads/1/3/0/6/130640141/c64210.pdf
    • http://engagedsport.org/uploads/1/3/0/6/130604363/4498247.pdf
    • http://rntechnet.com/uploads/1/3/0/5/130551219/ferogupef-beruto-xuwasizidip-nuxaxe.pdf
    • http://hostmaster.unitedyouthsingers.uk/uploads/1/3/0/7/130739375/wenumezebetinarek.pdf
    • http://tastefulexpressions.net/uploads/1/3/0/3/130323145/rofunotawobo_fajotirabuf.pdf
    • http://thatclassiccarshow.com/uploads/1/3/0/6/130605248/1a04e92fa.pdf
    • http://djfrofessor.com/uploads/1/3/0/5/130551935/ebd5d.pdf
    • http://fatmellon.com/uploads/1/3/0/2/130289611/f0ff36412.pdf
    • http://support.aurender.com/uploads/1/3/0/2/130289271/guzin-xesijumubidewu-rifanabidito.pdf
    • http://blaspheme48.pleasingfood.com/uploads/1/3/0/5/130539354/130539354.html#cover+letter+sample+for+teacher+position
    • http://labeach.com/uploads/1/3/0/6/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003756.bin
600dce13b28d10942e7a97891c15bf6f812af5c6d11190ca18c685c0ffe898c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3756 7888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.