Malicious PDF — malware analysis report

Static analysis result for SHA-256 a04c2cc52668fe75…

MALICIOUS

PDF

42.3 KB Authoring application: PDF Studio
MD5: 2c44be2a8d32409923d0f5ee98dc5a51 SHA-1: e4b34c980739c9ec577766855ec894c030532295 SHA-256: a04c2cc52668fe7524b83c37fe9713a6f62363eb82a171fc000127164ac25317
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified as a "PDF_SEO_LINK_FARM" heuristic. One of these links, http://wanderingalchemistjuiceco.com/uploads/1/3/0/6/130639910/litexafedusaxikufi.pdf, is presented as a download lure. ClamAV also detected this file as "Pdf.Phishing.TtraffRobotInstall-7605656-0", indicating a phishing or malicious download distribution purpose.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wanderingalchemistjuiceco.com/uploads/1/3/0/6/130639910/litexafedusaxikufi.pdf
    • http://tefeva.ionos-internet.net/uploads/2020/01/28/61c10558afe9.pdf
    • http://tovadutu.alcoprofi.com/uploads/2020/01/28/lifumerodenujujid.pdf
    • http://rep-christ.com/uploads/1/3/0/3/130323892/watorebiduwo.pdf
    • http://bctee.com/uploads/1/3/0/6/130604885/9366917.pdf
    • http://lst-beton.ru/uploads/2020/01/27/ce3c8dccabcf0.pdf
    • http://paulchirita.weebly.com/uploads/1/3/0/2/130288391/wilarekun.pdf
    • http://olgadating.pro/uploads/2020/01/28/011bf09dd3e.pdf
    • http://nollcompliance.com/uploads/1/3/0/2/130274291/jizalikesik-lebabut-jupidubeni.pdf
    • http://dufiwemaki.serviicosbr.com/uploads/2020/01/28/27b4a179c72dd44.pdf
    • http://kulob.audiostart31.icu/uploads/2020/01/29/zanegubatus-danujopizo-mepesozivekibap-mumerulab.pdf
    • http://pula.katalog-z.com/uploads/2020/01/29/wivit.pdf
    • http://moonrisetours.com/uploads/1/3/0/6/130639891/a89794ea.pdf
    • http://cynthiasmindset.com/uploads/1/3/0/6/130604294/898bb7aaa989.pdf
    • http://serendipitousdesigns.net/uploads/1/3/0/3/130313188/xowujotusigi.pdf
    • http://bodydelux.com/uploads/1/3/0/5/130545573/4080437.pdf
    • http://dirosastudiolegale.com/uploads/1/3/0/5/130590059/6851803.pdf
    • http://paulsfavoritestuff.com/uploads/1/3/0/5/130588589/mutakujijovuwilivu.pdf
    • https://xatukoronixelaw.weebly.com/uploads/1/3/0/5/130590677/7b14876d6c.pdf
    • http://arlencollisioncenter.com/uploads/1/3/0/6/130640079/28ad99d01c.pdf
    • http://sshhoppp104.fun/uploads/2020/01/29/xaxevemup-levax-noduj.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/3/130313056/130313056.html#microsoft+expression+encoder

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016ac.bin
d6565bcb1e0ab1e0fb8bc3a74a8e4d120e6f5fbe86638839b2b9fd27d3fe0fce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16AC 8792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.