Malicious PDF — malware analysis report

Static analysis result for SHA-256 969744f887b3d34d…

MALICIOUS

PDF

67.1 KB Authoring application: PDF Studio
MD5: 700ee1ee7fa387ae9a70c0ff630ebb66 SHA-1: a3ffaee25d98d0cef92b0166473f0b53e9d26a2b SHA-256: 969744f887b3d34dc6bf0cfdcdcc2c948cb05767fc976b8906d5c59ec3de2efc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links pointing to external PDF documents hosted on various domains. This technique is commonly used to create link farms for SEO manipulation or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. No scripts were extracted, and the document body content was heavily obfuscated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://burgangt.com/uploads/1/3/0/6/130621896/xinixom-maruso-gudesovizubuxo.pdf
    • http://sentinel.ai/uploads/1/3/0/8/130814900/9790993.pdf
    • http://reikienergiauniversal.com/uploads/1/3/0/2/130273982/fb9b64.pdf
    • http://djspizza1.com/uploads/1/3/0/4/130477234/5844921.pdf
    • http://unhappycamperstudios.com/uploads/1/3/0/5/130545199/744791.pdf
    • http://mattoxtours.com/uploads/1/3/0/2/130291527/1268654.pdf
    • http://liquidmetalbracelet.com/uploads/1/3/0/3/130323127/6441039.pdf
    • http://arsxystica.com/uploads/1/3/0/3/130313038/fuxoz-tutapexasu-galawazawi.pdf
    • http://columbiarockacademy.com/uploads/1/3/0/5/130541116/199314.pdf
    • http://thesundaybaker.net/uploads/1/3/0/4/130483550/wozave.pdf
    • http://famcoinsurance.com/uploads/1/3/0/5/130551033/76d450b40c66dc.pdf
    • http://krowncustomcues.com/uploads/1/3/0/8/130813427/mumetipubob.pdf
    • http://nutritioncapecod.com/uploads/1/3/0/7/130740493/jolexuxopafilor-luxupoli-zixubosedisem.pdf
    • http://getfitbasics.com/uploads/1/3/0/2/130288455/46b6a.pdf
    • http://webmail.mcintoshchurch.org/uploads/1/3/0/4/130483479/wiluje-tezejef.pdf
    • http://host111.carmichaelnl.com/uploads/1/3/0/8/130874104/130874104.html#hsc+biology+textbooks+pdf+download

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000539b.bin
ca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x539B 16028 bytes
font_01_sfnt_off000067b6.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67B6 1388 bytes
font_02_sfnt_off000071dc.bin
fe878ae7dd50a23f3641fd242bebce8c2cc0b8e34283e12ac2fb036550744788		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71DC 8152 bytes
font_03_sfnt_off000090a7.bin
5f0ff449105cd07586f9bd8def153e1aae8ddec638068fa4f53d5e86573fa32a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90A7 20632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.