PDF malware analysis — malicious · 854966fd6f07e799

MALICIOUS

PDF

47.1 KB Authoring application: pdf-parser

MD5: 553d96fd5c403bc50bf474fa24278533 SHA-1: 892bfa85b6e11bc5dbdcd9c3c02c2de5710946e2 SHA-256: 854966fd6f07e79935568e360d643f7736058875433b8c8a1079ed399e14cd90

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic-driving intent. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bgfireprotection.com/uploads/1/3/0/2/130289198/kivapufir.pdf
- http://xodessertsandbakery.com/uploads/1/3/0/2/130289196/nejoxekuva_matitesewu_mabetibup.pdf
- http://luciaperillo.org/uploads/1/3/0/4/130489969/d43a697614d4a3.pdf
- http://bbndallas.com/uploads/1/3/0/6/130639822/425236813.pdf
- http://www.raphel.com/uploads/1/3/0/6/130639720/luradamivivumofu.pdf
- http://kamcountryfarms.com/uploads/1/3/0/6/130603969/e85f1f08db22a7c.pdf
- http://claudiatennyson.com/uploads/1/3/0/8/130813827/799055.pdf
- http://wearebienchula.com/uploads/1/3/0/2/130272934/8949412.pdf
- http://outdoorsmetalguy.com/uploads/1/3/0/5/130545557/fanugeta.pdf
- http://gajon.info/uploads/1/3/0/5/130551086/fakopelesuxavu-gosasa-lopej.pdf
- http://abbie-stout--family.rominastiebenphotography.com/uploads/1/3/0/3/130323163/3818230.pdf
- http://stephenwillsonarteducator.com/uploads/1/3/0/3/130313603/xesazegejexar_dovezajamerowil_zuvaf_nogetuxusas.pdf
- http://cadjungle.net/uploads/1/3/0/9/130969459/a5bccded74cc81e.pdf
- http://candacegraham.com/uploads/1/3/0/4/130477755/wuwalitu.pdf
- http://tanzanyakonsoloslugu.org/uploads/1/3/0/8/130874045/nexebuboxof-fibiva.pdf
- http://ccevenice.com/uploads/1/3/0/3/130323835/dijetogefomewog-botazo-zerepajodature-pojuwojukerataw.pdf
- http://andigeloolaw.com/uploads/1/3/0/4/130492038/5423016.pdf
- http://stlouisbdsmdominatrix.com/uploads/1/3/0/3/130323520/553461.pdf
- http://tcsconsultingengineers.com/uploads/1/3/0/6/130639268/fezovarekenixixibi.pdf
- http://donthirejerks.com/uploads/1/3/0/3/130323453/merefidokada_wumetozi_vomaruroxakukew_kuvirivot.pdf
- http://www.gulfcoastmodel.com/uploads/1/3/0/2/130273913/vodawub.pdf
- http://allyourteeth.com/uploads/1/3/0/7/130775724/629652.pdf
- http://btwtalentshow.com/uploads/1/3/0/6/130604487/5752910.pdf
- http://petersonchapelmbc.gammaxiques.org/uploads/1/3/0/3/130323513/130323513.html#ikea+hours+north+york+ontario
- http://xodessertsandbakery.com/uploads/1/3/0/2/130289196/nejoxekuva_matit

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00003ad2.bin` `677e71428f97d697e1d37b94920902cc1f79d6c40420e53eae369df573da2ac3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3AD2	16192 bytes
`font_01_sfnt_off000052f0.bin` `1840640624fecb919e64ee7386372f885fb4688baf74008f51131a6b9b9a821c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x52F0	8828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.