Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1bcf600c00b251f…

MALICIOUS

PDF

38.5 KB Authoring application: Inkscape
MD5: 7cfd277cd91179a6810b6440a3310c7e SHA-1: ba677615a233c52d4b81a8bb6a3243032108dcb6 SHA-256: a1bcf600c00b251f7b8026be1210d8a89b67a5560673e81a0b0bfcfebe32e79a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF files, indicative of a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious traffic generation intent. No scripts were extracted from this sample, but the extensive URL list suggests a delivery mechanism for further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://musclesandmimosas.us/uploads/1/3/0/6/130621435/7222530.pdf
    • http://www.ooshguy.com/uploads/1/3/0/3/130379291/7c50b07ed88.pdf
    • http://www.joshschoonmaker.com/uploads/1/3/0/2/130289315/6339b2503eca.pdf
    • http://huatequelive.com/uploads/1/3/0/7/130776336/2587338.pdf
    • http://spigotscience.com/uploads/1/3/0/6/130639801/pekogowutaja_durixete_dopis_kipuwo.pdf
    • http://shineforfiveboutique.net/uploads/1/3/0/2/130272940/lulimosobexox.pdf
    • http://jkjlawnsprinkler.com/uploads/1/3/0/6/130621378/dusezenibetiwe-kujawafotakako-nolimegipabep.pdf
    • http://caretrakr.com/uploads/1/3/0/6/130604907/9541828.pdf
    • http://wellindeedservices.com/uploads/1/3/0/2/130289754/8286175.pdf
    • http://nurseries.shop/uploads/1/3/0/5/130588599/8843714.pdf
    • http://applyfordisabilitynow.us/uploads/1/3/0/7/130776786/zujunu.pdf
    • http://travelrtw.com/uploads/1/3/0/5/130543025/233407.pdf
    • http://socialcooling.org/uploads/1/3/0/4/130483592/robijakibo.pdf
    • http://riessalesandservice.com/uploads/1/3/0/7/130738939/f3362ab5c2b0552.pdf
    • http://trvlrad.com/uploads/1/3/0/2/130272424/pufelimake-firowuzat-tupadifisaxo-sowirasi.pdf
    • http://mrgn.marketing/uploads/1/3/0/6/130639591/d61c5e88637c4.pdf
    • http://takebackministries.com/uploads/1/3/0/6/130620486/03c679f53.pdf
    • http://christineszinner.com/uploads/1/3/0/8/130813736/kanugufiliv.pdf
    • http://chloedo.com/uploads/1/3/0/5/130539936/4650980.pdf
    • http://resinhub.com/uploads/1/3/0/7/130776451/2e36fe.pdf
    • http://ntwc.group/uploads/1/3/0/6/130620464/fuvilinujuxazufu.pdf
    • http://mysweatshops.com/uploads/1/3/0/8/130814581/bibuwaso.pdf
    • http://cathode61.pleasingfood.com/uploads/1/3/0/6/130604006/130604006.html#plantar+fasciitis+radiology
    • http://applyfordisabilitynow.us/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003475.bin
2b06d533b9f920d03975c471e377e5699775fbb37e5c93c03953d75989ccd01e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3475 8164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.