Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dd12348899e81aa…

MALICIOUS

PDF

33.8 KB Authoring application: GIMP
MD5: 78f6181d73a285cd20bf96e37f17c13b SHA-1: 0d25f2255689cdb39d3484ad99666297f6d47ef8 SHA-256: 8dd12348899e81aa2473166f1726c5444297cd85b1601da55875c4425e0bd5f1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains a large number of external links to other PDF files, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_REMOTE_SUPPORT_LURE' indicates the document may instruct users to install remote support tools, which is a common social engineering tactic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malware distribution intent. The embedded URLs are likely part of this lure, directing users to download further malicious payloads.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://baxitupov.nix-dns-oldi.info/uploads/2020/01/28/5360423.pdf
    • http://shakespublications.com/uploads/1/3/0/2/130271031/7860404.pdf
    • https://kagupaxexop.weebly.com/uploads/1/3/0/2/130287937/713b8b4e72a1.pdf
    • http://hbade.com/uploads/1/3/0/5/130551387/fevinaribi.pdf
    • https://parezojimu.weebly.com/uploads/1/3/0/2/130289304/tenutekekenili.pdf
    • http://mybest30minutes.com/uploads/1/3/0/6/130620431/9a847.pdf
    • http://krsferie.no/uploads/1/3/0/2/130271117/fufilolijumuvem_supamubu_sawupawedoxiko.pdf
    • http://train4safety.net/uploads/1/3/0/4/130488410/130488410.html#adobe+photoshop+7.+0++pc+windows+8

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000114e.bin
afa4a52610811d041f799036265136577949ad5b9e7d7fa8d5dd4035477ac7d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114E 7796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.