Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e17073b42f58045…

MALICIOUS

PDF

35.9 KB Authoring application: Solid Converter PDF
MD5: 829d3a199e05c0a6b11754fe3b339f96 SHA-1: ad69e4eb7355e3aaaaf71fe99ac96bb99d060313 SHA-256: 9e17073b42f58045c59d05b0d7b219dadd5dafffe2b320850006e3f6f686064c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cameliascandles.com/uploads/1/3/0/4/130435695/lopejuriz.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/6/130639418/22dfdb41d.pdf
    • http://nickmilne.com/uploads/1/3/0/5/130551129/2005209.pdf
    • http://mymoneyways.com/uploads/1/3/0/6/130603865/9849305.pdf
    • http://gengitut.pw/uploads/2020/01/29/visovawalifukijoje.pdf
    • http://nangrayphotography.com/uploads/1/3/0/6/130621258/sunobumejuxori.pdf
    • http://audioallure.com/uploads/1/3/0/4/130489361/9850612.pdf
    • http://acupunturavetbarcelona.com/uploads/1/3/0/5/130589450/mutuj.pdf
    • http://montanahollidayglass.com/uploads/1/3/0/4/130483978/jegitidiwu.pdf
    • http://pan-education.com/uploads/1/3/0/4/130483783/e5ada8.pdf
    • http://justgreatcareers.com/uploads/1/3/0/2/130289213/130289213.html#biblia+catolica+73+libros+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000122f.bin
f67250217292ad7fbfa40a501a65f13b583e27f517749479aad6fe7664e13cd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122F 8812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.