Malicious PDF — malware analysis report

Static analysis result for SHA-256 91b9530eecc214d2…

MALICIOUS

PDF

48.5 KB Authoring application: Pdftk
MD5: 868582cb3eebe419571b62ed8fd73a67 SHA-1: 823532851e8132364ad9858a570d25f3d20ab25e SHA-256: 91b9530eecc214d25991fc898affa248bc2db087074c08b3aa6e8c49c9bfbdba
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, to various domains. The SE_INVOICE_LURE heuristic indicates a fake invoice or payment lure, which is consistent with the document body mentioning 'Airasia boarding pass no printer'. The ClamAV detection further confirms its malicious nature. The primary attack pattern involves tricking the user into clicking on one of the numerous malicious links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whenjusticeisntjust.com/uploads/1/3/0/6/130639472/zogixikexukuwutis.pdf
    • http://clickdowntoearth.com/uploads/1/3/0/4/130479472/2365172.pdf
    • http://zat.djpschool.com/uploads/2020/01/29/2621261.pdf
    • http://truedefensepdr.com/uploads/1/3/0/6/130620958/gebazamoma.pdf
    • http://doylestcafe.com/uploads/1/3/0/3/130323424/e3d61.pdf
    • http://jef.kirovkray.ru/uploads/2020/01/28/6379586.pdf
    • http://misssampson.com/uploads/1/3/0/7/130739238/130739238.html#airasia+boarding+pass+no+printer

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000111d.bin
07b18d16806ada27ab615b95f7d175b1a2a11d36295848cec3ea86212d1258da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111D 8708 bytes
font_01_sfnt_off00008448.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8448 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.