Malicious PDF — malware analysis report

Static analysis result for SHA-256 9284af5602ba175d…

MALICIOUS

PDF

95.3 KB Authoring application: Inkscape
MD5: 52681366faea1e234b6bf8750229b539 SHA-1: aa8883b58d5ca015de2e977200a95cc1b0340637 SHA-256: 9284af5602ba175d58667e02be8d053aa65e3059f52d0835a353b27106e17f9f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://missinglinkbrewery.com/uploads/1/3/0/2/130291575/6387042.pdf
    • http://nickgiamarino.com/uploads/1/3/0/2/130271131/tanibulopufuki_xaxajalup_xatuzeru.pdf
    • http://www.m344project.com/uploads/1/3/0/5/130551558/6694446.pdf
    • http://www.nasimofoods.com/uploads/1/3/0/4/130488885/4789602.pdf
    • http://colorcraftpaintingokc.com/uploads/1/3/0/2/130270894/f37690f8b8f8.pdf
    • http://harbinvodka.com/uploads/1/3/0/7/130776558/kotisit-tarivosikur.pdf
    • http://stevenschristian.com/uploads/1/3/0/5/130545485/donevanomito_rojosokobasu.pdf
    • http://marc-jacobsoutlet.dadgifts.us/uploads/1/3/0/6/130620840/8378034.pdf
    • http://orkett.com/uploads/1/3/0/5/130541445/0cae37.pdf
    • http://provasanteriores.net/uploads/1/3/0/5/130551991/bozizovurujaj.pdf
    • http://obakosobotanica.org/uploads/1/3/0/5/130590224/wevubadovuzena.pdf
    • http://jmco.in/uploads/1/3/0/4/130477702/lipinepeborosijizoza.pdf
    • http://step1.fun/uploads/1/3/0/7/130739129/1005844.pdf
    • http://red11leader.com/uploads/1/3/0/3/130313466/getijomop_surogogisof_jexedup_zaguko.pdf
    • http://walkswithtonks.com/uploads/1/3/0/6/130639975/2d97282c9f.pdf
    • http://drgnwear.club/uploads/1/3/0/5/130542983/1014385.pdf
    • http://ingenacel.com/uploads/1/3/0/5/130543188/lofajepajezonesifa.pdf
    • http://daddysduties.com/uploads/1/3/0/5/130588529/8998775.pdf
    • http://wamits.com/uploads/1/3/0/5/130550711/7214285c9d.pdf
    • http://listentothelonging.com/uploads/1/3/0/7/130739996/pifefu-selagu.pdf
    • http://rockkicker.com/uploads/1/3/0/6/130604422/5e28484.pdf
    • http://iphoneplugz.com/uploads/1/3/0/6/130620776/rosuxomukavek_danez_logopifaru.pdf
    • http://the300groupevents.com/uploads/1/3/1/0/131070109/gujorojusugeruropovo.pdf
    • http://chhsports.com/uploads/1/3/0/7/130739117/suwem.pdf
    • http://zephramtales.com/uploads/1/3/0/4/130436441/2387642.pdf
    • http://mingrentang.bpmtc.com/uploads/1/3/0/5/130541944/130541944.html#download+ayat+ruqyah+untuk+diri+sendiri

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00010d04.bin
9354b9ce0dacbe6cb8ef7fa2c5e763de382e901566cfa8bbfc28065fc70c2f97		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10D04 32084 bytes
font_00_sfnt_off0000153a.bin
2366453e6a0d28c5bbc5a3cbe0cbf4890268abd96d251c6ad6a411016a7c2119		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153A 8128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.