Malicious PDF — malware analysis report

Static analysis result for SHA-256 8da3d8d9760e759d…

MALICIOUS

PDF

37.0 KB Authoring application: SWFTools
MD5: 50e3eee4d680b893143a44c1fb2058eb SHA-1: 834a0868ce15d698feabd12a0832454e47f6ee4d SHA-256: 8da3d8d9760e759d2103a26c982cf735be66b96c2a7ca6986cf624d5eea13c3d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, disguised as free ebook downloads. This technique is commonly used for phishing or to distribute further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bybforbes.com/uploads/1/3/0/6/130620370/293094166.pdf
    • http://www.grimcove.com/uploads/1/3/0/9/130969352/471480.pdf
    • http://thebottledbard.com/uploads/1/3/0/2/130272458/292b3c351a1.pdf
    • http://newreb.com/uploads/1/3/0/2/130274098/nujuxowes.pdf
    • http://rockvalleydistillery.com/uploads/1/3/0/7/130740130/5188682.pdf
    • http://www.seansmiamicatering.com/uploads/1/3/0/4/130435945/tadalutuxom.pdf
    • http://www.dlcimeris.ca/uploads/1/3/0/6/130620163/wotakovalebelenisuw.pdf
    • http://refidelity.com/uploads/1/3/0/8/130873868/vuvirigudale.pdf
    • http://kamconsulting.fr/uploads/1/3/0/5/130588378/3245399.pdf
    • http://visualedgeoptometricgroup.com/uploads/1/3/0/3/130323761/1df7334d.pdf
    • http://geniusplaylab.com/uploads/1/3/0/7/130775729/9376820.pdf
    • http://neverenoughpink.com/uploads/1/3/0/5/130550995/nazufodatudatagevi.pdf
    • http://waypointpublications.com/uploads/1/3/0/2/130289354/2433593.pdf
    • http://www.rosehogan.com/uploads/1/3/0/6/130604557/6319ed69.pdf
    • http://wxstuff.com/uploads/1/3/0/5/130588279/4086721.pdf
    • http://rhinesville.com/uploads/1/3/0/5/130543537/7838954.pdf
    • http://becker-energie.fr/uploads/1/3/0/4/130435712/3154983.pdf
    • http://middleclassempowermentzone.org/uploads/1/3/0/9/130969938/7387434.pdf
    • http://eagleeyeimaging.org/uploads/1/3/0/6/130639546/rosituwiluvuwop_fusom_xaxojuxidin_gewunemipenej.pdf
    • http://edutrading.net/uploads/1/3/0/2/130271054/cded2628b22909.pdf
    • http://mainstreetmystery.com/uploads/1/3/0/2/130289551/3406865.pdf
    • http://mta29.somekindofsimple.com/uploads/1/3/0/3/130313741/vikenex.pdf
    • http://zaixiandaxingyouxi.br3h.com/uploads/1/3/0/7/130775432/130775432.html#data+warehousing+and+data+mining+free+ebooks
    • http://mta29.somekindofsimple.com/upl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002fcf.bin
d489a84263177cf585899defe81dc25cb73dd29e2a35e5e6bd573d05e808911f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FCF 7756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.