Malicious PDF — malware analysis report

Static analysis result for SHA-256 84cbf71a97d98393…

MALICIOUS

PDF

57.2 KB Authoring application: Scribus
MD5: 4edcb43a3671348fb912d1cd5520ea43 SHA-1: ba6cbb7b9c52bbf9618c936cde2798ca395158f0 SHA-256: 84cbf71a97d9839335bd261a7fd75d48812e95bc1a1646ec1da529a0ba4093d9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links predominantly point to other PDF files hosted on various domains, suggesting a link farm or redirection mechanism. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nativenationarts.com/uploads/1/3/0/8/130873943/vorovijenubawixo.pdf
    • http://readerbunny.org/uploads/1/3/0/5/130543158/zetuzav.pdf
    • http://basicswitch.com/uploads/1/3/0/6/130640220/gisav.pdf
    • http://coreparalegal.com/uploads/1/3/0/8/130874409/jivaxi.pdf
    • http://dedicatedladiesconcrete.com/uploads/1/3/0/6/130639868/4816229.pdf
    • http://wildcreekmarketing.com/uploads/1/3/0/7/130738680/758fa075.pdf
    • http://noneday.com/uploads/1/3/0/2/130272290/polan.pdf
    • http://cienciayamor.com/uploads/1/3/0/7/130775331/nudebuv.pdf
    • http://benplattes.net/uploads/1/3/0/4/130436040/dasurepo.pdf
    • http://camptexas.com/uploads/1/3/0/6/130621273/zatufezuwibe.pdf
    • http://keithharleystyle.com/uploads/1/3/0/2/130272638/pixukuje.pdf
    • http://www.ihairdealea.com/uploads/1/3/0/4/130488506/jekivevujazewebov.pdf
    • http://northshorebostonrealtor.com/uploads/1/3/0/2/130272388/87014.pdf
    • http://lillgallery.com/uploads/1/3/0/5/130544826/vulezafaneriwat.pdf
    • http://milesmcallister.com/uploads/1/3/0/7/130739720/bccd2425c.pdf
    • http://toosrodieck.com/uploads/1/3/0/6/130604701/vafikewivunu.pdf
    • http://www.classycoles.com/uploads/1/3/0/6/130620251/7bd26.pdf
    • http://jimturrell.net/uploads/1/3/0/6/130605164/edb2d15b43db75.pdf
    • http://www.bucketlistbooks.co.uk/uploads/1/3/0/4/130483728/8242431.pdf
    • http://mail.somerscustomframing.com/uploads/1/3/0/8/130813973/9173827.pdf
    • http://rescuefog.com/uploads/1/3/0/4/130483821/tivipitunilinedu.pdf
    • http://a1000575xstreamtravel.xsideas.com/uploads/1/3/0/4/130489052/130489052.html#sabbath+school+lesson+2019+nehemiah
    • http://readerbunny.org/uploads/1/3/0/5/1305

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010c5.bin
b70e762f33e9a034f67d8b8d76b607473d36d56404e29c68c5f36cb3f23c5983		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C5 8972 bytes
font_01_sfnt_off000087cd.bin
8e79e6f40449bce11010868496ff806dc7d5faab648b4a9baf63b9dd17e2b45d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87CD 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.