Malicious PDF — malware analysis report

Static analysis result for SHA-256 91dad4404bce4c9a…

MALICIOUS

PDF

36.4 KB Authoring application: Mobipocket Creator
MD5: 65c7c438c6764f4074dbbfd90656ea23 SHA-1: 79df5ef48050b8869cf3737f5f502b57137c5eb2 SHA-256: 91dad4404bce4c9ad3e33d97cefc861e9d0c8e529ecc2fa685c584ef47e21656
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. These URLs point to various external PDF files hosted on different domains. The ClamAV detection indicates this is a known phishing variant. The embedded URLs are likely used to redirect users to malicious content or phishing pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webmail.websitesandsocialmedia.com/uploads/1/3/0/4/130436173/fa6f3113e76fd8.pdf
    • http://lc-propertysolutions.net/uploads/1/3/0/4/130478433/samaxis.pdf
    • http://nursinghomepj.com/uploads/1/3/0/2/130288542/suwutepazil.pdf
    • http://ironelectronics.com/uploads/1/3/0/2/130287839/ec0dddb.pdf
    • http://strongarmcafe.com/uploads/1/3/0/7/130775701/fesilijafebe.pdf
    • http://www.gaulwallacelaw.com/uploads/1/3/0/2/130289629/a9e089.pdf
    • http://constructioninsurance.net/uploads/1/3/0/2/130272483/kowunixabobijo-rikogamulimaki.pdf
    • http://www.versatilepumpsandfabrication.com/uploads/1/3/0/7/130739095/disedobuzoziw.pdf
    • http://cetefub.store/uploads/1/3/0/2/130289663/dumixumezefo.pdf
    • http://z.ag/uploads/1/3/0/2/130272247/6c3e7b1bcb8bf.pdf
    • http://drivenwildmn.com/uploads/1/3/0/7/130740148/ziwilikumuzu.pdf
    • http://luchalibrevive.com/uploads/1/3/0/2/130289354/874885.pdf
    • http://www.shophopeharbor.com/uploads/1/3/0/6/130604250/kugelis.pdf
    • http://www.mybackyardfarmla.com/uploads/1/3/0/7/130775704/8157213a6.pdf
    • http://asthethirdworldinnorthamericaturns.com/uploads/1/3/0/7/130740255/ba95794ea791.pdf
    • http://gyrtn.bpmtc.com/uploads/1/3/0/2/130289393/130289393.html#animal+tracks+worksheet+kindergarten

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003477.bin
307324be7c3b328dbd1aae358dbe3457812953868d15187030dd467720cc1ee1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3477 7560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.