Malicious PDF — malware analysis report

Static analysis result for SHA-256 8de89d6e57c54ec9…

MALICIOUS

PDF

35.4 KB Authoring application: GIMP
MD5: 49efefc7d409acdc3a4949bdf5744add SHA-1: d821216fb0987a3daa867a33b580f89545b0a389 SHA-256: 8de89d6e57c54ec957c6a22a634f9e61e3358ba96f82e64febc0af94a443e228
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file exhibits characteristics of a phishing or SEO manipulation campaign, as indicated by the critical heuristic firing for a PDF link farm. It contains numerous embedded URLs pointing to other PDF files hosted on various domains. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mystparanormal.com/uploads/1/3/0/2/130289557/wujevezuxizuraxejef.pdf
    • http://acouturelife.com/uploads/1/3/0/5/130539735/bizugefalujuzugo.pdf
    • http://cureand.com/uploads/1/3/0/3/130379583/vumubarebibu.pdf
    • http://occasionsbygigi.com.au/uploads/1/3/0/5/130540214/gujudiperagatu_sidiminobox.pdf
    • http://moodmetals.com/uploads/1/3/0/4/130476122/0c675fc6a3ca9b.pdf
    • http://andigeloolaw.com/uploads/1/3/0/5/130545194/fuviwov.pdf
    • http://savelma.com/uploads/1/3/0/4/130483871/bosovedutorasip.pdf
    • http://bmorewell.com/uploads/1/3/0/2/130289266/guwotazoka-gupovidusux-putel-wugujaxeken.pdf
    • http://stickittolennon.com/uploads/1/3/0/4/130477882/1344077.pdf
    • http://racingshoxsweden.com/uploads/1/3/0/6/130639895/donanikenitak.pdf
    • http://afcointl.com/uploads/1/3/0/4/130483806/sulurelanexo.pdf
    • http://arcadiagardensllclandscapinganddesign.com/uploads/1/3/0/5/130543569/130543569.html#star+wars+commander+level+3+base

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000128e.bin
e5bb36c95400a065663bae634a6f8e6d24287027a736642bba290754bb335b1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128E 7936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.