Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bf1ce7d0bc45967…

MALICIOUS

PDF

41.6 KB Authoring application: Karbon
MD5: 5a24802cc83180d4b46f8d48a579c0c3 SHA-1: c1e3f9ccb67437d13643357d7aee29066396ae62 SHA-256: 8bf1ce7d0bc45967a4b3e9a2ccca11f3ab0d9cc572cff5f37f3addcacf341b8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection further confirms its malicious nature, classifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://medicoz.com/uploads/1/3/0/5/130588289/5cd41.pdf
    • http://benplimpton.com/uploads/1/3/0/7/130740480/nomuzi.pdf
    • http://bartletthw.com/uploads/1/3/0/6/130621075/5744950.pdf
    • http://promaxylprofessionalskinsolutions.net/uploads/1/3/0/4/130493037/d4502e08bf4.pdf
    • http://superiorcouplingssealants.com/uploads/1/3/0/5/130588798/tuvupinezirad.pdf
    • http://paolospazzini.com/uploads/1/3/0/4/130436252/mudivejivomesi.pdf
    • http://myafricanloveseries.com/uploads/1/3/0/5/130589435/bb3cf.pdf
    • http://neicinkullanilir.net/uploads/1/3/0/6/130621035/9575427.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/3/130379422/130379422.html#centimeter+online+ruler+actual+size

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001170.bin
5112f8fbf94bcb0f786cbf4ebd05954aced9099b805bb1ddc5b26b5630e5d0c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1170 8144 bytes
font_01_sfnt_off00005ba1.bin
9602808d1dcf3e11e6a72d2c2fc2e017b5c4f6a5d229db09053900abd4535a05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BA1 2868 bytes
font_02_sfnt_off0000674c.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x674C 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.