Malicious PDF — malware analysis report

Static analysis result for SHA-256 84c810dbfaa479e5…

MALICIOUS

PDF

47.5 KB Authoring application: Solid Converter PDF
MD5: 94c0381a772bacd3b9356d59621c3683 SHA-1: b90f203d9de6209c8495a55e99a91980408ecb9e SHA-256: 84c810dbfaa479e59f6a921600a31eb3cbbb7fb893d99d15262cadbb67bd1fae
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a critical heuristic firing for a link farm, indicating it's designed to direct users to numerous external PDF files. The embedded URLs, including one pointing to a raw IP address, suggest a phishing or malware distribution scheme. The ClamAV detection further supports its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fisotev.parfumsoo.ru/uploads/2020/01/28/7593222.pdf
    • https://tivagokazoganix.weebly.com/uploads/1/3/0/2/130271244/nuxuporofagav.pdf
    • https://vazuseroruwun.weebly.com/uploads/1/3/0/3/130379067/zavijewixafomoreta.pdf
    • http://blacklines.org/uploads/1/3/0/5/130550768/4420479.pdf
    • http://themayacentre.org/uploads/1/3/0/4/130489331/2429308.pdf
    • http://your-website.name/uploads/2020/01/29/bogowuraruxixi.pdf
    • http://sharkdesarrollos.com/uploads/2020/01/27/82cc8a.pdf
    • http://schanwriter.com/uploads/1/3/0/6/130604078/4cfc90405a38bfe.pdf
    • http://loxo.my-blogonline.ru/uploads/2020/01/28/nisum.pdf
    • http://krystalshark.ru/uploads/2020/01/27/4467972.pdf
    • http://oncobiotek.com/uploads/1/3/0/2/130272102/maxivo.pdf
    • http://95.217.124.70:80/uploads/2020/01/28/narazosax_dazezot.pdf
    • http://lbjconsult.com/uploads/1/3/0/6/130621859/8891906.pdf
    • http://blondiau.org/uploads/1/3/0/4/130488338/fezukawugop.pdf
    • http://aventusinflatables.com/uploads/1/3/0/5/130551362/7828431.pdf
    • http://kexig.rusfermer.info/uploads/2020/01/27/7914309.pdf
    • http://niforov.2elalanadialsat.com/uploads/2020/01/29/3429389c37f8d.pdf
    • http://lightfastdesign.com/uploads/1/3/0/3/130324152/dc8b7ad84a.pdf
    • http://resiliencepsychotherapy.com/uploads/1/3/0/6/130604778/wajepatofi-weweji-bugifapizoziga.pdf
    • http://littlebsbigdesigns.com/uploads/1/3/0/6/130603808/7046307.pdf
    • http://color4home.com/uploads/1/3/0/5/130540592/130540592.html#businessman+movie+songs++in+hd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015e5.bin
1e0d644b44059f2c101ee10eed46cf0742a15b068db31ff6eae7614fd4c3341f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E5 9000 bytes
font_01_sfnt_off000071f2.bin
101447ec0f1ff9a166538e0d663148276e3a4fc1aded7589db46e8db93931e1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F2 16336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.