Malicious PDF — malware analysis report

Static analysis result for SHA-256 85d78f2d0a5de36c…

MALICIOUS

PDF

52.4 KB Authoring application: Nitro PDF
MD5: 881b8e5862745caa8c81b66686c6651c SHA-1: 4761fbb1362875e3bfebb7bd725314e391e2b0ea SHA-256: 85d78f2d0a5de36c2ee6987b9214ede98febaaec79fc37f235fda82b9f0e25b3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing. The document body itself is heavily obfuscated and contains a reference to one of the malicious URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fancysneaker.com/uploads/1/3/0/5/130539016/sekafefapito.pdf
    • http://jolenesphotography.com/uploads/1/3/0/6/130605146/f764e.pdf
    • http://www.mybarbabez.com/uploads/1/3/0/7/130775135/wutisomobepeteb-mewuzozu-nimud.pdf
    • http://camptishomingo.org/uploads/1/3/0/5/130550731/3001335.pdf
    • http://www.shannonoberry.org/uploads/1/3/0/8/130813604/49f112be.pdf
    • http://alcft.com/uploads/1/3/0/7/130738940/5f1a4883d2.pdf
    • http://esg-wire.com/uploads/1/3/0/7/130738863/mebaxakolu.pdf
    • http://smartlets.org/uploads/1/3/0/7/130776425/bozoxefozo.pdf
    • http://livinginsight.biz/uploads/1/3/0/2/130272353/nolupetutaw.pdf
    • http://nilaskanltd.com/uploads/1/3/0/4/130483050/mepimep.pdf
    • http://constructionblogging.com/uploads/1/3/0/6/130603982/7d51d3be60f518.pdf
    • http://the-way-of-life-blog.com/uploads/1/3/0/7/130738974/7520231.pdf
    • http://daybreakerstest.com/uploads/1/3/0/2/130272472/db84840d70f070.pdf
    • http://paskes.com/uploads/1/3/0/8/130874329/ditupasoma.pdf
    • http://oliveraconst.com/uploads/1/3/0/4/130483337/3054150.pdf
    • http://musette-ventures.com/uploads/1/3/0/2/130289669/58394.pdf
    • http://aclifesciences.biz/uploads/1/3/0/2/130289426/dazajigokulisu-tajumefif-beduxibogij.pdf
    • http://relaysocial.net/uploads/1/3/0/4/130435941/9160452.pdf
    • http://opossumpouchwildlife.com/uploads/1/3/0/8/130814297/nufiwukedi_tenozikedome.pdf
    • http://mynukshuk.com/uploads/1/3/0/5/130590413/5893533.pdf
    • http://drobgyn.net/uploads/1/3/0/5/130589222/130589222.html#sda+shona+hymnal+book

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000e77.bin
a18d57e069899a926ed3ffe330de3f19272a29d6b76bf190cff88c0a7acf9ad3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE77 7372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.