Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b8ec72e8220e9d1…

MALICIOUS

PDF

72.3 KB Authoring application: pstoedit
MD5: 7c13db29899aec727b94a6541580dc51 SHA-1: cc2670519599631a62c2244390cd67ca1109ab70 SHA-256: 8b8ec72e8220e9d19a78ecf3c7fc4f2d96011db0344d0dc464f5daca6aa21283
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection also flags this as Pdf.Phishing.TtraffRobotInstall. The document body, though heavily obfuscated, contains URLs that are part of this link farm. The primary attack pattern appears to be a link farm designed to redirect users to potentially malicious content or for SEO manipulation.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sozikegelikozu.weebly.com/uploads/1/3/0/4/130476649/luzox.pdf
    • http://texas2stepfilm.com/uploads/1/3/0/2/130291783/4251b8b.pdf
    • http://d-jedi.com/uploads/1/3/0/2/130270991/lopawajakaluferivesa.pdf
    • http://jasajuto.kkylosov.ru/uploads/2020/01/27/1474647.pdf
    • http://pigoza.markaajans.online/uploads/2020/01/27/4329442.pdf
    • https://fusutavakawiti.weebly.com/uploads/1/3/0/5/130588775/a02d3a.pdf
    • http://europeanfenestrationsystems.com/uploads/1/3/0/5/130589252/dusixed.pdf
    • http://tjinspires.com/uploads/1/3/0/2/130270768/b5be01650b3.pdf
    • http://pisax.zphoto.pro/uploads/2020/01/28/worifokeminu.pdf
    • http://cantonfair2u.com/uploads/1/3/0/5/130551153/wigigad.pdf
    • http://nexoclean.com/uploads/1/3/0/3/130323597/woweromi.pdf
    • http://gubovebil.copyrightcontact-1000004839645.com/uploads/2020/01/27/731d3fcb98.pdf
    • http://setujo.inity420.com/uploads/2020/01/27/gomabapusovi-visikewal-jadipexo-jexom.pdf
    • http://urlmac.com/uploads/2020/01/28/wupoj.pdf
    • http://xelabinife.greatthings.icu/uploads/2020/01/27/dezudasifu.pdf
    • http://dvoryansky.ru/uploads/2020/01/28/dugog.pdf
    • http://northshorepf.weebly.com/uploads/1/3/0/5/130544134/5e54caf87949.pdf
    • http://reikijan.com/uploads/1/3/0/6/130639911/e099d586f4b5c0.pdf
    • https://xopilavuxuneki.weebly.com/uploads/1/3/0/6/130604737/6021491.pdf
    • http://passione-presepe.com/uploads/1/3/0/4/130436139/3ee5d5b46.pdf
    • http://kersteninc.com/uploads/1/3/0/5/130539297/fibujizurutubizomow.pdf
    • http://kellysandau.com/uploads/1/3/0/6/130604744/demaj_maxuki_lixumepuja.pdf
    • http://staygraceful.us/uploads/1/3/0/6/130604744/d18745ff4e.pdf
    • http://nuohotel-zh.devsite-1.com/uploads/1/3/0/4/130435998/130435998.html#friction+on+inclined+plane+report

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016b4.bin
ac955b96c75fa55447a9138fdfdc5cb640ed3c362a660057e08d7524bcef461c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B4 9332 bytes
font_01_sfnt_off0000c9f2.bin
8924f8d1688d8df7cdd0c28764f944d237246543a18303980fb18d981d4bddc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9F2 16296 bytes
font_02_sfnt_off0000df40.bin
dfce982e17c0476fbfc52cca6ece7e338966297a88a8d3d408702d43ff35dbaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF40 2980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.