Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c743f5fb0aaf99c…

MALICIOUS

PDF

36.4 KB Authoring application: Smallpdf Desktop
MD5: c16d60386a22ea60365434b4c4e01cb0 SHA-1: 363fa04a61764ad9db29f76b58ed344a15e952e3 SHA-256: 9c743f5fb0aaf99c3b4ae6f616d92d36c62f4a6310ee2c9288fd53c7a4c6b6e1
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which are hosted on compromised or suspicious domains, suggesting a link farm or phishing campaign. The heuristic 'SE_INVOICE_LURE' indicates the document's content is designed to deceive the user into taking action, likely by clicking on one of the embedded URLs. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary malicious URL identified is http://precisionrunning.com/uploads/1/3/0/4/130483355/72e1c6bb2c.pdf.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://precisionrunning.com/uploads/1/3/0/4/130483355/72e1c6bb2c.pdf
    • https://xegawokanitej.weebly.com/uploads/1/3/0/5/130551237/6219977.pdf
    • http://jozozufa.reshenie-odincovo.ru/uploads/2020/01/27/bee67568.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/4/130483928/510158.pdf
    • http://netmagnetism.ca/uploads/1/3/0/2/130289185/jegidovuvikut_pubasuz_mafalefugitexef.pdf
    • https://kurenakadibabaz.weebly.com/uploads/1/3/0/5/130551210/jediku-fimafurojasojo.pdf
    • http://cameronbaskin.com/uploads/1/3/0/2/130272319/pagekufenu-jugegij.pdf
    • http://larsonartgallery.com/uploads/1/3/0/6/130604675/c616a.pdf
    • http://lashesbyalyssaabq.com/uploads/1/3/0/6/130604820/9154405.pdf
    • http://pan-education.com/uploads/1/3/0/2/130288830/916da95.pdf
    • http://campbellsdental.com/uploads/1/3/0/5/130589423/5397757.pdf
    • http://palekez.retinuelk.info/uploads/2020/01/27/e16ac49.pdf
    • http://powerwashsystems.net/uploads/1/3/0/5/130589239/favewap.pdf
    • http://rizopukof.en-help.center/uploads/2020/01/27/7429704.pdf
    • https://tojaroti.weebly.com/uploads/1/3/0/4/130475939/savejetedusemek_gemumoxixuji.pdf
    • http://study-spanish-educator.com/uploads/1/3/0/6/130639673/kofobo-kupumiwuvovi-bazapufofitix-bebejigosakas.pdf
    • http://colddiamnd.com/uploads/1/3/0/4/130436017/130436017.html#ato+payment+summary+annual+report+form

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d4.bin
de2f5b8d61c1715df519e696ee4a06863118bc0733c2f3f66d23d30c9c273e93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D4 8204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.