Malicious PDF — malware analysis report

Static analysis result for SHA-256 9434781dae00fbaa…

MALICIOUS

PDF

69.4 KB Authoring application: GIMP
MD5: 68c330adee4ac2043359f5d7e447925a SHA-1: fa8b2501b8592c2f056ec07e158c09d801d56a73 SHA-256: 9434781dae00fbaab2b05b75feefeee40c641819fae23cae8bc2cc1ccf8854a8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm pointing to numerous external PDF documents hosted on various domains. This technique is commonly used to distribute phishing content or redirect users to malicious websites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://conwaymodelengineering.com/uploads/1/3/0/6/130620854/2910367.pdf
    • http://laurenobern.com/uploads/1/3/0/5/130547112/5179359.pdf
    • http://dgomola.weebly.com/uploads/1/3/0/3/130323324/gevopabor.pdf
    • http://kovriki.online/uploads/2020/01/28/guxujipefemovaf_luxarovasomomad_susobupinumize.pdf
    • http://miseniorcenters.com/uploads/1/3/0/7/130776582/jepizobopekam.pdf
    • http://penncrossknoll.com/uploads/1/3/0/2/130287514/7881682.pdf
    • http://misssupremepurityqueen.com/uploads/1/3/0/7/130739503/130739503.html#nursing+management+of+pericardial+effusion

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011dc.bin
f6350254b934f1f132f15d273fc4f758d34e146ca4b36ba3536656e5ec0fc91e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DC 8656 bytes
font_01_sfnt_off0000ca9c.bin
61ca593122bdf9f8d2de89784c713a2b278bdd5b054eff5a59c50fd3ef05b3a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA9C 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.