Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d20e32d9e78c779…

MALICIOUS

PDF

45.2 KB Authoring application: Nitro PDF
MD5: 8c273320c97da62f133abf3ef91c4ee5 SHA-1: dcfaa1bbf28126157970b243bf07a8e4c97400fe SHA-256: 9d20e32d9e78c779d83eeac063c10817a62afc5c88475cdf0ce34591f7e0193c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO spamming campaign. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to traffic redirection or phishing. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rooseveltconservancy.org/uploads/1/3/0/4/130435638/8f10d9e055b3f.pdf
    • http://treetopsimplicity.com/uploads/1/3/0/2/130289553/lekaluzakikixidadat.pdf
    • http://internationalparksideproductsinc.com/uploads/1/3/0/4/130483869/lodagoxufo_wexabibuwoti.pdf
    • http://enticionote.com/uploads/1/3/0/2/130288399/tomaxukonejepu_tetodawenojeke_pusakuli_gorupamadim.pdf
    • http://scottmercer.org/uploads/1/3/0/5/130590051/jetalod_nedupuw_nibejuk_likitudi.pdf
    • http://camgirlclash.com/uploads/1/3/0/5/130588787/5583768.pdf
    • http://josienotjose.com/uploads/1/3/0/6/130639292/delawezujotem.pdf
    • http://3bbabyblankets.com/uploads/1/3/0/2/130271185/ribanipemerulaw.pdf
    • http://rawhidemotel.com/uploads/1/3/0/4/130436173/simexekomekaz.pdf
    • http://new-victory.site/uploads/1/3/0/2/130289291/nulewirowamofenab.pdf
    • http://cleaningclinic.shop/uploads/1/3/0/3/130313069/4731256.pdf
    • http://nysmaplepartridge.com/uploads/1/3/0/5/130588394/8359516.pdf
    • http://p-mad.com/uploads/1/3/0/3/130312965/1800143.pdf
    • http://mothermedicina.com/uploads/1/3/0/6/130639933/rikurav.pdf
    • http://lmylife.net/uploads/1/3/0/5/130550887/bijepiwivevus_zejugevilimu_xijafeduveduju.pdf
    • http://yahonlytimes.com/uploads/1/3/0/3/130323738/mofoxikujiwopuduguz.pdf
    • http://localzaa.com/uploads/1/3/0/6/130639867/115641.pdf
    • http://knoxvilleangels.org/uploads/1/3/0/8/130813483/0f214c2b23d8de9.pdf
    • http://travelerswineclub.com/uploads/1/3/0/5/130550940/bexiwumi.pdf
    • http://thegardenhead.com/uploads/1/3/0/7/130776273/wurasesava.pdf
    • http://standwithpuertori.co/uploads/1/3/0/7/130776642/sometorix-gopamexi-gagejowuze.pdf
    • http://coreofjuno.com/uploads/1/3/0/6/130640174/firisuxaxiluxogu.pdf
    • http://kathleen-cortez.pleasingfood.com/uploads/1/3/0/7/130739122/130739122.html#ahsan+ul+hidayah+vol+7+pdf
    • http://mothermedicina.com/uploads/1/3/0/6/1306399

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034cb.bin
f662ef206a0ae1a049a9392ebbe1de957f9b2deae6c6508ed0769770f54861ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34CB 16952 bytes
font_01_sfnt_off00004f92.bin
d847d2319d26cf6c22001b2f66084a83af689676ba413764128f5165dd204631		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F92 7796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.