Malicious PDF — malware analysis report

Static analysis result for SHA-256 92cb812a99210ee5…

MALICIOUS

PDF

55.9 KB Authoring application: QPDF
MD5: 4096dd765e5c31bddbdbe957601fee20 SHA-1: 6a69ad95ed178fbcd027e4a545111d6f866d1e2c SHA-256: 92cb812a99210ee53c033fe9c4641c56b9993ee9c278b5030d01aa4c1e81ec54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The document body itself is heavily obfuscated but contains numerous links, suggesting a lure to external content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xudupowax.hello-news.ru/uploads/2020/01/28/53074.pdf
    • https://duvijiliwolar.weebly.com/uploads/1/3/0/5/130588494/7576982.pdf
    • http://barndoorgallery.com/uploads/1/3/0/5/130588287/33d3d8d30f.pdf
    • http://zati.tannothem.pro/uploads/2020/01/28/lotulifivadon.pdf
    • http://goj.changeurself.win/uploads/2020/01/28/1466432.pdf
    • https://leribimaw.weebly.com/uploads/1/3/0/5/130588822/1520eaa9a6.pdf
    • http://miwet.jeanroyer.net/uploads/2020/01/28/839b1fcd28303.pdf
    • http://dahunoff.ru/uploads/2020/01/27/donutorex.pdf
    • http://tranquilityhilllodge.com/uploads/1/3/0/5/130589042/3eb79d3661.pdf
    • http://shopsone2.fun/uploads/2020/01/28/kowexupegakawatul.pdf
    • http://gek.globewebguru.com/uploads/2020/01/29/xawatazexepatup.pdf
    • http://sobasof.davidmazurphoto.com/uploads/2020/01/27/2d23dd6151b647.pdf
    • http://bsvwordwidetravel.com/uploads/2020/01/28/9034130.pdf
    • https://jevobodokanu.weebly.com/uploads/1/3/0/5/130551058/de08920aa39.pdf
    • http://molecularsupplements.com/uploads/1/3/0/6/130605270/837fca3f2c8e4b.pdf
    • http://magetointerieurbouw.com/uploads/1/3/0/2/130289288/vixobipa.pdf
    • http://fuw.washcomes.com/uploads/2020/01/29/7506726.pdf
    • http://willowandsage.ca/uploads/1/3/0/5/130589278/4886161.pdf
    • http://randomactsofpasta.com/uploads/1/3/0/4/130476014/zogosanesuxuf-rofezogirebox-mufejixapovifo-xinezimubawaga.pdf
    • http://zedozowale.agicole-acces.com/uploads/2020/01/28/970171.pdf
    • http://thetruenerdcompany.com/uploads/1/3/0/5/130551654/114358.pdf
    • http://vevetekid.lesfondsdequilles.com/uploads/2020/01/28/2513925.pdf
    • http://gemojazini.newcenturypublishingco.com/uploads/2020/01/29/tuwup-boduraturu.pdf
    • https://dulabiboku.weebly.com/uploads/1/3/0/2/130272577/4d2292da62.pdf
    • http://the-woodleigh-residences-bidadari.com/uploads/1/3/0/4/130476407/130476407.html#algorithms+sanjoy+dasgupta+solutions+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014c7.bin
65682dbf0881afb0eca14736f90c2029291b7c7dba4804ee1e68b1958161b914		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C7 9912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.