Malicious PDF — malware analysis report

Static analysis result for SHA-256 9db37fc75dd487dc…

MALICIOUS

PDF

35.2 KB Authoring application: pstoedit
MD5: 5eae59e915f4e298992fc03abee9d9c9 SHA-1: 945c3c3d56c38a9e190bd508f849c60f84a7f9d6 SHA-256: 9db37fc75dd487dc7ad20ea8e970d0744447690fd0bc7b553242d3db8d98ddd1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a malicious intent, likely related to phishing or traffic redirection. The embedded URLs are the primary IOCs, suggesting a campaign to distribute content or redirect users through a network of linked documents.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rollershadeiq.com/uploads/1/3/0/6/130639337/022bd19.pdf
    • http://raduxafiz.lechenienarkomanii-stavropol.ru/uploads/2020/01/27/fezaza.pdf
    • http://oregonap.com/uploads/1/3/0/2/130291640/5884797.pdf
    • http://attictudeinc.com/uploads/1/3/0/5/130589007/jurolirorakovup.pdf
    • http://wifiavto.ru/uploads/2020/01/29/417984.pdf
    • http://solarscrappers.com/uploads/1/3/0/4/130488699/9482854.pdf
    • http://zufi.silane-guard16.ru/uploads/2020/01/27/dobanapi.pdf
    • http://douglaspharmachems.com/uploads/1/3/0/4/130483540/xolakovuwoxos.pdf
    • http://bupupof.igrovye-avtomaty-na-dengi.top/uploads/2020/01/28/madoke.pdf
    • https://sejolera.weebly.com/uploads/1/3/0/4/130436037/7527876.pdf
    • http://mofikufi.marcexpert.ru/uploads/2020/01/28/jajirukotej.pdf
    • http://bucksnortnrunclayworks.com/uploads/1/3/0/5/130588616/8638180.pdf
    • http://xibidaput.sverhpotok.com/uploads/2020/01/29/c90dd5c8b05d380.pdf
    • http://ceoempowerment.net/uploads/1/3/0/3/130379379/fipedezajoxeve.pdf
    • http://mymoneybuilder.com/uploads/1/3/0/3/130323328/8853247.pdf
    • http://jim.pp-offer.xyz/uploads/2020/01/28/9130967.pdf
    • http://featurebeam.com/uploads/1/3/0/2/130272979/zusubuz.pdf
    • http://curerecords.net/uploads/1/3/0/3/130323717/aba96c4.pdf
    • http://christianrmcdaniel.com/uploads/1/3/0/6/130620645/3b6e2a797.pdf
    • http://san69.com/uploads/1/3/0/5/130589199/130589199.html#line+of+symmetry+worksheets

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014ea.bin
906f3fb74f8072a40d0e378fc89f61351c28271915bb89f2115f0c528a6b1f33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14EA 7868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.