Malicious PDF — malware analysis report

Static analysis result for SHA-256 89ae50cc12a200a4…

MALICIOUS

PDF

38.1 KB Authoring application: GIMP
MD5: 8f351b974f7b7c37c343936b7a180985 SHA-1: ca4481b9b3f0ff4e42cd62742f961ad28ef8f8dc SHA-256: 89ae50cc12a200a41278ccf693dd29762ec8e37ab48433d00d6c3b78a5d0c80f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF files across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious distribution intent. No scripts were extracted from this sample, limiting the analysis of direct execution behaviors.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.mail.beauporthotel.com/uploads/1/3/0/3/130323411/f2ed8.pdf
    • http://casadelloco.com/uploads/1/3/0/3/130323281/totukosufa_sorabu_dinanuxa.pdf
    • http://tomsalf.store/uploads/1/3/0/4/130435702/tukajetopa-jozewevirup-jiranaduvobe-tiranoxelivu.pdf
    • http://downdogz.com/uploads/1/3/0/7/130739867/3245271.pdf
    • http://a-7713.com/uploads/1/3/0/6/130620998/7246899.pdf
    • http://www.himalayanyakmeat.com/uploads/1/3/0/6/130604105/7653895.pdf
    • http://mail.ocalametaldetectingclub.com/uploads/1/3/0/6/130640092/fajutogugiwaji.pdf
    • http://mooreintconsulting.com/uploads/1/3/0/5/130551746/72661.pdf
    • http://myallscent.com/uploads/1/3/0/6/130605048/47c0db66f0b.pdf
    • http://mnguidedgoosehunting.com/uploads/1/3/0/4/130483305/537d75f35b32f.pdf
    • http://www.cryptofistbump.com/uploads/1/3/0/6/130604369/2301807.pdf
    • http://becausegoodness.com/uploads/1/3/0/2/130287548/9606138.pdf
    • http://starfisheducation.net/uploads/1/3/0/6/130604004/gexewitufin.pdf
    • http://metronashinspect.com/uploads/1/3/0/5/130588939/1522804.pdf
    • http://nyclunarnewyear.org/uploads/1/3/0/4/130476180/9046718.pdf
    • http://faithlifetv.org/uploads/1/3/0/6/130604045/dekarututo-lozowaku.pdf
    • http://mrreynoldsmathclass.com/uploads/1/3/0/7/130739557/7575003.pdf
    • http://mail.fbcnorristown.org/uploads/1/3/0/8/130814349/juzomizoj.pdf
    • http://casa20jd.com/uploads/1/3/0/4/130483492/3335626.pdf
    • http://aztecwhistles.com/uploads/1/3/0/6/130621557/97514a8a127296c.pdf
    • http://bloompropertysolutions.com/uploads/1/3/0/5/130543035/070cf.pdf
    • http://zhenrenyouxituangou.br3h.com/uploads/1/3/0/6/130604022/lowudofimawar-wokobupokilelo.pdf
    • http://parkscore.net/uploads/1/3/0/5/130590482/vurebal.pdf
    • http://wcd-1199sab5.mgh-r.ch/uploads/1/3/0/2/130289651/130289651.html#compound+sentence+using+the+conjunctive+adverb+consequently
    • http://tomsalf.store/uploads/1/3/0/4/130435702/tukajetopa-joz

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000331b.bin
a82d05c8e441e3bd44d05f8090b957ac107bb946b8fc7b9088747860b737430f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x331B 7684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.