Malicious PDF — malware analysis report

Static analysis result for SHA-256 945e9426f78204c2…

MALICIOUS

PDF

39.3 KB Authoring application: Soda PDF
MD5: f2424d30eb8c3c3487d00b7a94f5eb01 SHA-1: ff3d6674ed85dab603db4db1d138df95634f4420 SHA-256: 945e9426f78204c22d754933ffd776c3b39d75955044b70a2154fe3dce1f8ef8
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The PDF contains a large number of external links, indicating a link farm strategy. The 'SE_ENABLE_LURE' heuristic confirms that the document instructs the user to enable macros or editing, a common technique for malware droppers. The ClamAV detection further supports its malicious nature. The primary attack pattern involves tricking the user into enabling content to download and execute a secondary payload.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://carlsbadcleaningservices.com/uploads/1/3/0/4/130489386/ca8993bf2b75f.pdf
    • http://247cleaningservice.com/uploads/1/3/0/8/130813403/1983675.pdf
    • http://oakscorp.com/uploads/1/3/0/6/130621808/9e09e9745.pdf
    • http://half-nelson.com/uploads/1/3/0/8/130814021/xajoreviledizoj_bojivolufufike_fovomiro_pijuke.pdf
    • http://amayalada.com/uploads/1/3/0/8/130814066/jazutes_zuregevetuke.pdf
    • http://skylighthk.com/uploads/1/3/0/5/130589158/6289dd6e5a2d04a.pdf
    • http://heroicdecay.com/uploads/1/3/0/5/130588922/jogalef_pefelazazijo_resizimugag.pdf
    • http://slyfoxservice.com/uploads/1/3/0/6/130605426/3786871.pdf
    • http://mindbodyhealthcoaching.com.au/uploads/1/3/0/4/130488244/7617863.pdf
    • http://baysunmarine.com/uploads/1/3/0/8/130815058/4922096.pdf
    • http://radiant-balance.com/uploads/1/3/0/5/130543006/menabijukilibew_dawip_wizinurar.pdf
    • http://kathleenmaree.com/uploads/1/3/0/7/130739530/marivamim.pdf
    • http://aclassta.com.au/uploads/1/3/0/5/130540461/a0cb99c5fcf7.pdf
    • http://frasergoodfellows.com/uploads/1/3/0/5/130539105/retinemetebavifixoji.pdf
    • http://vps11-internal.pleasingfood.com/uploads/1/3/0/7/130776498/130776498.html#how+to+import+pdf+in+word+document

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002cae.bin
efe41cb4757344bda3dd1affbfa1d1fc6d539c0708bc1541b179df59fdef8392		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CAE 6412 bytes
font_01_sfnt_off00003f27.bin
90de8f73813c668e4fd0b313e30bf1c8e833c4bf92400fb14ff75520bd84301b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F27 8076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.