Malicious PDF — malware analysis report

Static analysis result for SHA-256 91a297710f159cc9…

MALICIOUS

PDF

36.6 KB Authoring application: Inkscape
MD5: 4986daab2794041db293523ea264ade6 SHA-1: 1a4bd7350cbf0ac58d66d157f73f2d32fa330525 SHA-256: 91a297710f159cc902f3b8990ca1be440f543e4b5360020854ac91b942d01bd0
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified as a 'PDF_SEO_LINK_FARM' heuristic. This indicates the document's primary purpose is to redirect users to numerous external PDF files hosted across various domains. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.davidwilkins.com.au/uploads/1/3/0/2/130271124/tetiniremebi.pdf
    • http://hnccleaning.co.nz/uploads/1/3/0/6/130604795/44efe.pdf
    • http://annemarieguarnieri.com/uploads/1/3/0/7/130775017/nesiduwezafotojokoj.pdf
    • http://womenintokyo.net/uploads/1/3/0/4/130477036/21789bfb6d9422c.pdf
    • http://promisewed.com/uploads/1/3/0/5/130543868/49397.pdf
    • http://christopherjordanclothingco.com/uploads/1/3/0/5/130589094/dorulajoxezuberi.pdf
    • http://butterflybeautyuk.com/uploads/1/3/0/6/130639768/5703027.pdf
    • http://artfulbeingfineart.com/uploads/1/3/0/6/130639083/5455160.pdf
    • http://kellenkellenkellen.com/uploads/1/3/0/8/130873850/teguzaj.pdf
    • http://dragontradingau.com/uploads/1/3/0/8/130813804/4020713.pdf
    • http://www.thelcdesign.com/uploads/1/3/0/5/130539125/be466a.pdf
    • http://britishsupermarketclassics.com/uploads/1/3/0/8/130874289/zomaxiwanelejevixuxe.pdf
    • http://www.sciartcenter.org/uploads/1/3/0/7/130739498/2171ffcc3.pdf
    • http://splinteredmindshirts.com/uploads/1/3/0/7/130775388/a15d03ce761.pdf
    • http://lovelykacie.com/uploads/1/3/0/5/130589452/xomebisajab_joruvemebi.pdf
    • http://emilydelbridge.com/uploads/1/3/0/5/130589309/3048568.pdf
    • http://fridgeforagers.com/uploads/1/3/0/4/130489830/ba101c76d.pdf
    • http://www.floraexpress.nl/uploads/1/3/0/4/130435649/ee6d7b.pdf
    • http://akvapark.site/uploads/1/3/0/7/130739621/2607882.pdf
    • http://www.qmwtravel.com/uploads/1/3/0/5/130539090/6171570.pdf
    • http://choose2cruiseadventures.voyagerwebsites.com/uploads/1/3/0/5/130539757/130539757.html#adobe+audition+cs6+32+bits+mega
    • http://fridgeforagers.com/uploads/1/3/0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003070.bin
fd7154effa0ac44815fa35df590f4b3e47bcdf1daf025093e7f28f375017a77e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3070 7576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.