Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e4723e0a3f5ce7f…

MALICIOUS

PDF

37.0 KB Authoring application: Soda PDF
MD5: 844a6b5d9f23ff36f0b8f0cf07dd35ca SHA-1: b83d04a14e420e7b7c9cc1be230c740095a64f7c SHA-256: 8e4723e0a3f5ce7fd4722477ecd4ecc5c1b452361eea54ebabbed8d9aa44c7ef
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body itself appears to be malformed or truncated, preventing a deeper analysis of its specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://savageglobalindustries.com/uploads/1/3/0/7/130740046/7896373.pdf
    • http://millennialbarbers.com/uploads/1/3/0/3/130323555/d626bfd3836.pdf
    • http://bboom.space/uploads/1/3/0/4/130435556/1840159.pdf
    • http://ichbinunzufrieden.de/uploads/1/3/0/9/130969003/8470770.pdf
    • http://bdagdc.com/uploads/1/3/0/3/130379770/nefanikanu_wagiribagufiguj_rafovofixot_bijoradoxuwo.pdf
    • http://mail.biricha.com/uploads/1/3/0/6/130604903/2547843.pdf
    • http://nolatesting.com/uploads/1/3/0/2/130271019/3992158.pdf
    • http://mychamberofsecretss.com/uploads/1/3/0/5/130539840/3574377.pdf
    • http://rivierahome.com.mx/uploads/1/3/0/3/130323412/loleponagi-sotewivesokuno-jekarudunaji.pdf
    • http://lucykatecrafts.com/uploads/1/3/0/6/130621480/lifobejajuwatej.pdf
    • http://geek-dog.com/uploads/1/3/0/5/130546977/ratetakelezuvim-fixorusisewi.pdf
    • http://burnsmarketingone.com/uploads/1/3/0/6/130620948/aa892b0354.pdf
    • http://scourgeofwar.net/uploads/1/3/0/8/130874063/8241593.pdf
    • http://nlrtsa.com/uploads/1/3/0/7/130776034/3796980.pdf
    • http://www.zoeqjamesdesigns.com/uploads/1/3/0/5/130588548/sezor.pdf
    • http://www.lascaro.eu/uploads/1/3/0/7/130740538/937a52b.pdf
    • http://ejaznadeem.com/uploads/1/3/0/6/130620719/2714058.pdf
    • http://alpinwork.eu/uploads/1/3/0/6/130620345/tijoberajadetisa.pdf
    • http://beckyjonescookiesandcakes.com/uploads/1/3/0/2/130289002/7036163.pdf
    • http://moltenpleasure.net/uploads/1/3/0/5/130588653/5747314.pdf
    • http://directionalconsulting.org/uploads/1/3/0/3/130313410/vezoti.pdf
    • http://time2gotravelwithsuzan.voyagerwebsites.com/uploads/1/3/0/6/130620996/130620996.html#perguntas+sobre+cnidarios+7+ano

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ea0.bin
a839173079fcffc9614209fc00deeb64451aa1fed636401dbeba63cae3fde95f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EA0 9788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.