Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a08f2b935074942…

MALICIOUS

PDF

46.9 KB Authoring application: Poppler-utils
MD5: 708cc58d906c91f606e25fe3dc32b480 SHA-1: 395b06f2992bafd39847a08aa921303e78a2e820 SHA-256: 8a08f2b935074942e0162c6e54d08583355f7f55ca5d86e3c2c52af7f7e053f5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF files, indicating a link farm likely used for phishing or distributing further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cementfab.com/uploads/1/3/0/6/130605501/4945659.pdf
    • http://touchmile.com/uploads/1/3/0/3/130323979/0e5f32517.pdf
    • http://andrewtimmer.com.au/uploads/1/3/0/7/130739063/6943418.pdf
    • http://momentumva.com/uploads/1/3/0/7/130739837/3913e735f9c.pdf
    • http://bvhstyle.com/uploads/1/3/0/8/130814909/remizez.pdf
    • http://burgerbattle.net/uploads/1/3/0/3/130379422/mojumukod.pdf
    • http://annalisaroger.green/uploads/1/3/0/7/130739615/rijef-tasozateberetad.pdf
    • http://nerdendo.com/uploads/1/3/0/3/130313274/1686102.pdf
    • http://refugefriendsinc.org/uploads/1/3/0/5/130588199/fibowukal.pdf
    • http://saratogasirens.rocks/uploads/1/3/0/6/130604945/muzeraguxozexixusum.pdf
    • http://jackmcbride.net/uploads/1/3/0/7/130739539/sixaxoruvumela.pdf
    • http://neboair.com/uploads/1/3/0/7/130738948/wuzogepeb.pdf
    • http://nyanyaekaterinburg.ru/uploads/1/3/0/3/130313271/5091607.pdf
    • http://delmontesupport.com/uploads/1/3/0/5/130550801/satosu.pdf
    • http://shanisofficepreview.com/uploads/1/3/0/4/130436307/kigisejika_fozufil.pdf
    • http://serpboards.com/uploads/1/3/0/7/130738929/3777237.pdf
    • http://gt-autos.com/uploads/1/3/0/4/130476516/webepa.pdf
    • http://manoliskaratarakis.website/uploads/1/3/0/3/130323531/c0a5c.pdf
    • http://mojohomeautomation.com/uploads/1/3/0/3/130324350/nasugilim.pdf
    • http://princetonfamilywellness.com/uploads/1/3/0/5/130543663/65775179c51b.pdf
    • http://the-crafty-sagittarius.com/uploads/1/3/0/6/130605149/gelujo.pdf
    • http://theloveshanghai.com/uploads/1/3/0/6/130604765/zubom.pdf
    • http://shardexplorers.com/uploads/1/3/0/3/130323157/130323157.html#neurotransmisor+acetilcolina+accion

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003383.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3383 2652 bytes
font_01_sfnt_off00003c4f.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C4F 16036 bytes
font_02_sfnt_off000053ef.bin
a620da62a00d3a19bf49bf820cb1bd47c6cd514de008a2df32dbc2a9b4fadd27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53EF 9244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.