Malicious PDF — malware analysis report

Static analysis result for SHA-256 9640c4b923c30566…

MALICIOUS

PDF

38.5 KB Authoring application: pstoedit
MD5: 908708be2ea1ea1f4422c4188d889fb0 SHA-1: c1ab9919321fd7dd43a1cc7d3191174f8bd75949 SHA-256: 9640c4b923c30566061c222df82fac198c48225b2f43c7c07e1b53b86cbf343e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO poisoning attack where the document's primary purpose is to redirect users to potentially malicious websites. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://enriquezvacations.com/uploads/1/3/0/7/130775400/malaketedaved.pdf
    • http://raiseyouruxiq.com/uploads/1/3/0/7/130775137/26b9ec.pdf
    • http://djsacademy.com/uploads/1/3/0/6/130640072/xakivabovazojubon.pdf
    • http://day01wapparelgoods.com/uploads/1/3/0/3/130323175/dejekojimovegowip.pdf
    • http://ptinscottsdale.com/uploads/1/3/0/2/130271150/mufoniwepifa.pdf
    • http://oaklands-care-home.com/uploads/1/3/0/3/130313649/6762f7364.pdf
    • http://raremark.net/uploads/1/3/0/6/130620966/livew_bixono_rujuduzi_jobolad.pdf
    • http://konidarisart.com/uploads/1/3/0/3/130313091/9075918.pdf
    • http://swctv.org/uploads/1/3/0/3/130313031/2bf447a00.pdf
    • http://atwoodarmory.com/uploads/1/3/0/5/130588674/xawikisox.pdf
    • http://ppal.space/uploads/1/3/0/5/130539021/3604734.pdf
    • http://umbcs.com/uploads/1/3/0/6/130604945/godadilonifefim_ditigiwumutuwa.pdf
    • http://soaptoad.com/uploads/1/3/0/7/130738943/4633180.pdf
    • http://adjusters.quickcatclaims.com/uploads/1/3/0/2/130289721/vokudizibo-kurojew-luxezuxedule-zoradolepapuz.pdf
    • http://nikkirupu.com/uploads/1/3/0/7/130738715/6be4465.pdf
    • http://bilingualyellowpages.com/uploads/1/3/0/7/130739105/3034795.pdf
    • http://taylorsplayground69.com/uploads/1/3/0/3/130323556/fububuruzow-dunujuf-nowuzi.pdf
    • http://wcd-s2rynr96.mgh-r.ch/uploads/1/3/0/2/130287997/130287997.html#advantages+and+disadvantages+of+ackerman+steering

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000037dd.bin
b9b9864fc0e418f7286f14a3b26f474b60e12061f3d0023fe6ab284179f4d0af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37DD 8620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.