Malicious PDF — malware analysis report

Static analysis result for SHA-256 86dc80f0963b54de…

MALICIOUS

PDF

36.2 KB Authoring application: QPDF
MD5: 3cf2db93d619857bc1cfdffe5604e536 SHA-1: c1f30bbc7af217be302bb822fd54fd5b5840fa0c SHA-256: 86dc80f0963b54dec3a3cc7373e49337414e62079bda50b612d4d425f67e4d74
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF employs a social engineering lure, masquerading as a free download for Adobe Reader to trick users into clicking on a link farm. This link farm directs users to multiple external PDF files hosted on various domains, likely as part of a phishing or malware distribution scheme. The heuristic 'SE_SECRET_RECOVERY_LURE' further suggests the intent is to solicit sensitive information from the user.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://setreport.com/uploads/1/3/0/3/130323211/7f15bf329.pdf
    • http://rokuhispano.com/uploads/1/3/0/4/130436450/35f71da3267a.pdf
    • http://creativelevity.com/uploads/1/3/0/5/130551991/0819e996779fd2.pdf
    • http://intr.link/uploads/1/3/0/6/130621776/velodoxofo.pdf
    • http://bakersacresfarm.com/uploads/1/3/0/6/130621106/tiwusematos.pdf
    • http://reimaginingwellness.com/uploads/1/3/0/5/130539315/1961787.pdf
    • http://triciazoellerauthor.com/uploads/1/3/0/6/130621765/1176906.pdf
    • http://rogerspma.com/uploads/1/3/0/3/130379479/3232868.pdf
    • http://nursingarmpillow.com/uploads/1/3/0/5/130541402/130541402.html#free+download+adobe+reader+8.0+full+version+windows+7

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001151.bin
874d2b0b7119801b949795769dcad8cf2858e29be7a33d4e8194b64831f09942		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1151 7916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.