Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b50e0a4ea2dd784…

MALICIOUS

PDF

30.3 KB Authoring application: GIMP
MD5: 79b8f464438ac1e96a79e2e40d69c8ac SHA-1: 14a84d3a2770d2909a3dc562aa58b5f27b129456 SHA-256: 9b50e0a4ea2dd7845c6aabda81648157f66d464e666e6b95386191f42af9a765
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF files. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oakandiris.com/uploads/1/3/0/6/130620532/fabelisodiw.pdf
    • http://thisweeksbestdeals.com/uploads/1/3/0/2/130273624/tosina.pdf
    • http://dollenmeier.net/uploads/1/3/0/5/130588834/jivetexi.pdf
    • http://nzbriards.com/uploads/1/3/0/4/130435848/papepalisuwada_xusedikediti_zusekejura_jamox.pdf
    • http://alibraryandagarden.com/uploads/1/3/0/7/130739780/c72f7d.pdf
    • http://etomolagi.com/uploads/1/3/0/5/130589049/52a5496f6d15b1.pdf
    • http://agauos.com/uploads/1/3/0/6/130621324/tesevexoworo_mibov_fasabowino_texexavegod.pdf
    • http://triciazoellerauthor.com/uploads/1/3/0/7/130775282/xuzirig.pdf
    • http://samarayaart.com/uploads/1/3/0/4/130478602/bilex.pdf
    • http://andtheylivedhappilyeverafter.com/uploads/1/3/0/4/130476501/992894.pdf
    • http://aeronautairplay.com/uploads/1/3/0/4/130488831/rudavexorum.pdf
    • http://yesonzforpvsd.com/uploads/1/3/0/6/130620861/2d70de4554ff.pdf
    • http://hajwanfoodplanet.org/uploads/1/3/0/9/130969048/4438113.pdf
    • http://ninjataps.com/uploads/1/3/0/2/130270905/vuxuraziwozoworunupe.pdf
    • http://renewair.org/uploads/1/3/0/6/130639364/4620624.pdf
    • http://oakdalepoolservice.com/uploads/1/3/0/2/130272426/gusasa_lofewevo_xevakuwifarewu_tuworodomojuvi.pdf
    • http://stempeldrang.nl/uploads/1/3/0/2/130271011/zuzimumod.pdf
    • http://www.heartlandshibas.com/uploads/1/3/0/6/130604958/jafezu.pdf
    • http://eaglesbridge.org/uploads/1/3/0/6/130620325/93073d82.pdf
    • http://vegaindustriesllc.com/uploads/1/3/0/4/130478704/guvudujogup.pdf
    • http://scrimmies.com/uploads/1/3/0/7/130776069/fezukawajiperojilelo.pdf
    • http://wellsviewcare.org/uploads/1/3/0/7/130739183/b79cf4b58.pdf
    • http://685cm.slpny.com/uploads/1/3/0/6/130604289/130604289.html#tilawat+quran+tarjuma+kanzul+iman

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000188c.bin
a53da6622ad1e0a00281d3ef7da12c86853ebc2f8f4019cb2f1a1d553a0ae55f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x188C 6444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.