Malicious PDF — malware analysis report

Static analysis result for SHA-256 9db871fe76575fc0…

MALICIOUS

PDF

43.1 KB Authoring application: Smallpdf Desktop
MD5: 5e8ebde4258b3de72b3bcb5efc3dfa38 SHA-1: 610002d3a91d85115abee73d3aac45c137d8617b SHA-256: 9db871fe76575fc0deb4f4e74e2e763f6c4130c9def8c14d3325c7bd1a37baa4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body, though partially corrupted, contains references to URLs that are consistent with the link farm heuristic, suggesting the primary purpose is to drive traffic to these external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://visuxusif.avtovikuppro.ru/uploads/2020/01/28/zuxijoz.pdf
    • http://branchlutheranschoolshaiti.com/uploads/1/3/0/2/130289636/cf94e0aaa8e.pdf
    • http://quintepaddlingclub.com/uploads/1/3/0/3/130324236/sogilufim.pdf
    • http://knoxfoodtours.com/uploads/1/3/0/6/130639815/tulazoxibevekegabilu.pdf
    • http://tabasandrosen.com/uploads/1/3/0/5/130590458/3908277.pdf
    • http://thewackyestate.org/uploads/1/3/0/6/130639161/f04b44ae99448d.pdf
    • http://fisefoxumi.startyachting.ru/uploads/2020/01/27/a139fbba901e78.pdf
    • http://banatixivu.youtube.top/uploads/2020/01/28/bikosof.pdf
    • http://kidshoeology.com/uploads/1/3/0/6/130620202/nabarelutot-tasolipu.pdf
    • http://ssphotography.net/uploads/1/3/0/5/130541763/ratumuruxuku.pdf
    • http://kevinpendergast.com/uploads/1/3/0/4/130436095/vaninofosezuwaj_sotomilaf_befijudizamibe.pdf
    • http://sterlcycle.com/uploads/1/3/0/6/130621997/lufuve.pdf
    • http://secehawaii.com/uploads/1/3/0/6/130621158/fikixe.pdf
    • http://kepupew.ukrainian-girls.top/uploads/2020/01/28/gevuroxanarit.pdf
    • http://pizaxewugu.acces-agicoles.com/uploads/2020/01/29/siguwekitabe-ridubip.pdf
    • http://michaelshusko.com/uploads/1/3/0/2/130270955/130270955.html#argos+catalogue+pdf+1999

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000148c.bin
946931bfa7877b4ad856d18168ecc2544afb97ba59ed5ed4025af2653828262d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148C 8780 bytes
font_01_sfnt_off000061b7.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61B7 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.