Malicious PDF — malware analysis report

Static analysis result for SHA-256 95bf8a4daa502e09…

MALICIOUS

PDF

43.8 KB Authoring application: PDFBox
MD5: d9d35f4d72aa3979104ee1a579b46135 SHA-1: 4629d70595787d2d4777ff4f12485b11549f232d SHA-256: 95bf8a4daa502e09365fea2fce6bb86964d12d36e2b9a1a76bee0d4cd25b000f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a large number of external links, many of which are structured as SEO-optimized links pointing to other PDF files. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document likely prompts the user to install a browser extension or update, a common social engineering tactic. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://scricco.org/uploads/1/3/0/4/130435943/luxuti.pdf
    • http://babenow.com/uploads/1/3/0/2/130288412/2438820.pdf
    • http://mostafaelbaba.net/uploads/1/3/0/6/130605353/01f59e77f8.pdf
    • http://mojibliss.com/uploads/1/3/0/5/130589044/8817630.pdf
    • http://blatherscatdesign.com/uploads/1/3/0/6/130605338/romuda.pdf
    • http://ludgatehillpartners.com/uploads/1/3/0/2/130287867/614569a645c.pdf
    • http://scriptureboxes.com/uploads/1/3/0/5/130551839/mabijepe_dokonasowaveba.pdf
    • http://norwalkrealestateguru.com/uploads/1/3/0/5/130550724/pavodiriw.pdf
    • http://www.littledragonsrugby.org/uploads/1/3/0/5/130540104/1272662.pdf
    • http://malamaphotobooth.com/uploads/1/3/0/6/130604729/8244490.pdf
    • http://springbrookaerospace.com/uploads/1/3/0/6/130604475/rupalepidipar.pdf
    • http://crownway.org/uploads/1/3/0/2/130289498/zezujunasajoziv-tadigo.pdf
    • http://escortsclassifiednetwork.com/uploads/1/3/0/4/130476432/6947184.pdf
    • http://www.dandelionwings.com/uploads/1/3/0/4/130435520/5668747.pdf
    • http://arabshortfilmfactory.com/uploads/1/3/0/8/130814329/e41bc5c4fe6.pdf
    • http://whiskeyandwine.net/uploads/1/3/0/8/130873973/nijegavonuzojogu.pdf
    • http://54north.info/uploads/1/3/0/6/130620854/1577176.pdf
    • http://baijialegongshi.br3h.com/uploads/1/3/0/8/130813635/130813635.html#the+adventures+of+tom+sawyer+1938+subtitles

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000026bc.bin
27aad4e7100ae85831cc1a9cf4859e84521ff6b1ee9ac199fa10e6c4d4b25dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26BC 2736 bytes
font_01_sfnt_off0000300a.bin
4851b40d733df440cb920dcc7a48f041c087a636d7f2e94037a0b545acb7c086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x300A 17048 bytes
font_02_sfnt_off00004ad5.bin
3d5ffc8929cceb99006825448b3aabc33e9ddef1103df666b7e0f3cabe685ba0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AD5 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.