Malicious PDF — malware analysis report

Static analysis result for SHA-256 981a86d0e9de7bc0…

MALICIOUS

PDF

37.6 KB Authoring application: GIMP
MD5: 7ccee66a0a28370f471dc6bb70b717e5 SHA-1: 3cd025465097325ce9c48f50b4c08b21ff33a523 SHA-256: 981a86d0e9de7bc04d83b10c4a093449b872750592f50e09de33ff15fcef08e2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files across various domains, indicating a link farm or distribution network. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'PDF_SEO_LINK_FARM' heuristic strongly suggest a malicious intent, likely related to phishing or SEO abuse. The document body, though partially corrupted, contains text related to PDF to Excel/CSV conversion, which could be a lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.annekevanderlende.nl/uploads/1/3/0/7/130776150/6c67aa4.pdf
    • http://keepupwiththekeys.com/uploads/1/3/0/5/130539315/04342e71f8.pdf
    • http://www.trumpdeepstate.com/uploads/1/3/0/6/130604730/kowodadubipof.pdf
    • http://www.my-matthew-national-agency.com/uploads/1/3/0/5/130550983/25f2e92.pdf
    • http://hpcctimex.com/uploads/1/3/0/2/130291592/ronixovurel_davoxojiwuf_kezov.pdf
    • http://texasstocklawyers.com/uploads/1/3/0/3/130313484/pisipibolanezi-renuvoporafawer.pdf
    • http://portalfarmaceutico.net/uploads/1/3/0/3/130379821/373327.pdf
    • http://christopherleeauthor.com/uploads/1/3/0/5/130538987/2f2287.pdf
    • http://mydispatchers.com/uploads/1/3/0/4/130489039/9032664.pdf
    • http://med-impulse.ru/uploads/1/3/0/6/130604150/12a07d.pdf
    • http://waitakaruruschool.com/uploads/1/3/0/5/130548070/6332530.pdf
    • http://impulsandotusfinanzas.com/uploads/1/3/0/2/130289748/9861272.pdf
    • http://appea.com/uploads/1/3/0/5/130551294/musilotikupitebamu.pdf
    • http://sheldonxink.com/uploads/1/3/0/4/130436182/22187.pdf
    • http://kerrycrawford.com/uploads/1/3/0/7/130776828/2024394.pdf
    • http://northsidecigars.com/uploads/1/3/0/5/130543941/rejonerejesede.pdf
    • http://thegirlygabby.com/uploads/1/3/0/3/130379167/zodilureb_jokuw.pdf
    • http://cosmosit.net/uploads/1/3/0/6/130603690/fegumutogez_majovub.pdf
    • http://alumi68.info/uploads/1/3/0/6/130605203/5673312.pdf
    • http://www.midairconnect.net/uploads/1/3/0/5/130550834/11e9a30fb.pdf
    • http://duojonssoncoudroy.com/uploads/1/3/0/6/130605044/figaxosazagasos.pdf
    • http://pencilpenservices.com/uploads/1/3/0/3/130313453/130313453.html#convert+your+pdf+file+to+excel+or+csv
    • http://appea.com/uploads/1/3/0/5/130551294/musilotikupitebam

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003165.bin
6b318017eb1903830b83608d7bf10342fe6069a34d05d1190e57be6026388853		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3165 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.