Malicious PDF — malware analysis report

Static analysis result for SHA-256 933befd75d1e156d…

MALICIOUS

PDF

37.8 KB Authoring application: Adobe PDF Library 9.0
MD5: 6fe6fda07939e796607b4091deaa3c07 SHA-1: 29e9b0cd1f069f527a3de2db3f597adf0179b39a SHA-256: 933befd75d1e156dd11aff16141df188df8b06c2a588be7ab320d0e04285ec1e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded external links, forming a link farm. These links are likely used to redirect users to phishing sites or download further malicious content. The document body contains text related to a medical termination of pregnancy act, which may be a lure to disguise the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yorkshireequicare.co.uk/uploads/1/3/0/2/130288643/a86b4442241e.pdf
    • http://oakleykambel.com/uploads/1/3/0/5/130541031/masur.pdf
    • http://wwwjohnnarcizo.com/uploads/1/3/0/6/130620678/takopo.pdf
    • http://thechiefendofman.com/uploads/1/3/0/7/130776735/bd71f02d36c.pdf
    • http://quaternityoga.com/uploads/1/3/0/7/130738527/2bcd5d.pdf
    • http://abarakatonline.com/uploads/1/3/0/6/130620320/05b85532c.pdf
    • http://kiscogear.com/uploads/1/3/0/2/130289418/pezezudo.pdf
    • http://nlpcoursesmelbourne.com/uploads/1/3/0/6/130605255/3967759.pdf
    • http://phumyhungmidtown.net/uploads/1/3/0/5/130588266/7685b1df126.pdf
    • http://suemoraes.com/uploads/1/3/0/6/130621732/voxifis.pdf
    • http://rlwilliamsshoptank.com/uploads/1/3/0/6/130604322/4656866.pdf
    • http://www.zafarsteel.com/uploads/1/3/0/5/130588278/wukawo_famosogilov_zuzutixozujin_zudololegiki.pdf
    • http://nodeberiacontarlo.com/uploads/1/3/0/4/130483216/808953.pdf
    • http://amyswickedslush.net/uploads/1/3/0/7/130739290/talowawilopeziv-rosudeje-gebupokekutotub.pdf
    • http://bellemeadedentalcenter.com/uploads/1/3/0/7/130776253/foxovekunexo_getedu_musasolezakajom.pdf
    • http://nataliebritecoaching.com/uploads/1/3/0/2/130288488/komujapulojave_furinisomisukin.pdf
    • http://voice-chati.com/uploads/1/3/0/6/130621362/2846655.pdf
    • http://autodiscover.smoretrails.com/uploads/1/3/0/7/130738554/tilivuxadidetu.pdf
    • http://pembrokepinestinting.com/uploads/1/3/0/5/130542977/xisak.pdf
    • http://keaphi.com/uploads/1/3/0/5/130539492/5455d8add.pdf
    • http://mrb2btechwriter.com/uploads/1/3/0/7/130739926/pitirifejowimenewu.pdf
    • http://www.agileintranet.com/uploads/1/3/0/4/130490687/130490687.html#medical+termination+of+pregnancy+act+bare+act

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000349c.bin
ae5dc90ff2c358032d9a427acf45cd96333bca3820aa2a76adc29ddaa44301fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x349C 7476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.