Malicious PDF — malware analysis report

Static analysis result for SHA-256 95c11c93b649a1e4…

MALICIOUS

PDF

42.8 KB Authoring application: Pdftk
MD5: 6d25e84308d9d02be1ffe26cb1e22838 SHA-1: 7165a881055e9e1b2f277911e8d9a1e728cbbbac SHA-256: 95c11c93b649a1e410c0daa228bd76a94e302cd388c9278db39a1943426ec158
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on unrelated domains, suggesting a link farm or redirection mechanism. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or traffic redirection intent. The document body contains garbled text mixed with a URL related to BNP Paribas, likely a lure to disguise the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://youarenotaloneart.com/uploads/1/3/0/6/130620198/wutupikon.pdf
    • http://dragonflyfloralrentals.com/uploads/1/3/0/5/130588701/907ae5.pdf
    • http://mrsac.net/uploads/1/3/0/6/130620334/aec598fd53d.pdf
    • http://cannabisusa.world/uploads/1/3/0/6/130621654/0ced9db2bc03529.pdf
    • http://safiasclothing.com/uploads/1/3/0/6/130605442/jogezijajeg.pdf
    • http://casino13.ru/uploads/2020/01/29/lazalejum.pdf
    • http://colddiamnd.com/uploads/1/3/0/6/130639138/130639138.html#www+epargnant+epargne+retraite+entreprises+bnpparibas+com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000112a.bin
360f8e6507d6091e592a656574f9c3d24a45fa762440d597fe9babe2b218096b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112A 9348 bytes
font_01_sfnt_off00006140.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6140 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.