Malicious PDF — malware analysis report

Static analysis result for SHA-256 81a97ab7e1ccebb5…

MALICIOUS

PDF

55.8 KB Authoring application: Pdftk
MD5: 64f6136efb7ab14c5b7870dedd15bf92 SHA-1: 53d0a08c794c2449da72b1e1b8af553906a71321 SHA-256: 81a97ab7e1ccebb523ca3cdbe038f304fce71316bbd9a6a81f08e13af8b8e1e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF files hosted on various domains. This behavior is characteristic of SEO spam or phishing campaigns designed to drive traffic to malicious or low-reputation sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-driving intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://menagainstcancer.net/uploads/1/3/0/6/130604416/jevujub.pdf
    • http://mizfamphoto.com/uploads/1/3/0/2/130287257/66daee389f717ee.pdf
    • http://adobeforfashion.net/uploads/1/3/0/6/130640231/206cfe020e9f.pdf
    • http://mylivgrace.com/uploads/1/3/0/4/130483759/taxatajo.pdf
    • http://collinsmslibrary.org/uploads/1/3/0/6/130621524/nozajutavuwotubaw.pdf
    • http://vabakes.com/uploads/1/3/0/6/130621322/titafemov-guwaminezofen.pdf
    • http://jogekebe.paradise-hotel.ru/uploads/2020/01/28/8041908.pdf
    • http://soloporque.org/uploads/1/3/0/4/130483393/3376ad9f75ee.pdf
    • http://nicholemannion.com/uploads/1/3/0/6/130620605/9875897.pdf
    • http://acouturelife.com/uploads/1/3/0/6/130640219/130640219.html#vidivodo+video+indirme

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000115e.bin
21d4bb5f88774ae53314e054cc497a215e01dd3a956c6cdd8dc95e2153b65ffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115E 10572 bytes
font_01_sfnt_off00009ba8.bin
e5cd680e938c034b3565b94c2d7890809ff1349cd1471179b5e6f4d6d1835b9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BA8 3344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.