Malicious PDF — malware analysis report

Static analysis result for SHA-256 918e1d181bc43730…

MALICIOUS

PDF

140.4 KB Authoring application: Adobe PDF Library 9.0
MD5: 4ba488f5bc4a7b238a1c6df94367c0c8 SHA-1: f0c78edef2c95f53638834dd1ffdbcd8b520fd9e SHA-256: 918e1d181bc437304730239f6364400a397dc162372355461279cae4acb75524
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The SE_ADVANCE_FEE_SCAM_LURE heuristic indicates that the document's content is designed to trick users into paying money or providing sensitive information. The ClamAV detection further confirms its malicious nature. The embedded URLs are likely used to redirect users to malicious sites or download further malware.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pofiga.sverhpotok.ru/uploads/2020/01/28/ramuninikogupe.pdf
    • http://rikezebole.skazkashow.ru/uploads/2020/01/28/zovasimal-webogusu.pdf
    • http://soganconsulting.com/uploads/1/3/0/6/130603772/kuzox-fapeso-xijis.pdf
    • http://blushskyboutique.com/uploads/1/3/0/4/130436079/dfc09eb226ad35.pdf
    • http://hectormaxwell3d.com/uploads/1/3/0/5/130588556/70b0db0.pdf
    • http://wd-consult.com/uploads/1/3/0/6/130604702/mikomozixotum.pdf
    • http://teachingjobsinohio.com/uploads/1/3/0/4/130483903/finod.pdf
    • http://asociacionperiodistaspr.org/uploads/1/3/0/4/130491179/130491179.html#2018+world+cup+table+pdf

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000ae20.bin
a954f0f4707a7043b63eef75d3c5c66fcd48cda01c81cda12f37a0f4a74e8a31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAE20 16732 bytes
font_00_sfnt_off00001562.bin
9eb7ea749d7d7bc2dd269b56b4bd779ee83ef3742795ce58aa1bfc822e34eae8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1562 17036 bytes
font_01_sfnt_off0000a0ac.bin
68ddc89927c5aa10c07b450bea948f6f4b6878cddcbccc95d1dba0579962c08a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0AC 4376 bytes
font_03_sfnt_off0001f076.bin
7863b829de04ea8b7f5be4d5dae43fa62182e7611f0c3a300d10b316d27db496		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F076 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.