Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1c753ebb193a57f…

MALICIOUS

PDF

43.4 KB Authoring application: Karbon
MD5: 61fe45b0bea1298ff4e8e35fc2619835 SHA-1: 95b9bc1bb037509eae5214126dcfae1c71ab8e8f SHA-256: a1c753ebb193a57f2634ec9f30c6af597eab623c0d728505bd990e92bab8922b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, containing 31 external links, with the first identified as http://nzps2019.nz/uploads/1/3/0/3/130313360/1583748.pdf. This technique is commonly used to distribute phishing content or lead users to sites hosting malware. The ClamAV detection further supports its malicious nature.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nzps2019.nz/uploads/1/3/0/3/130313360/1583748.pdf
    • http://tatismoving.ca/uploads/1/3/0/6/130621873/sinawinasis_megis_xazovorofen.pdf
    • http://middlechildclothing.com/uploads/1/3/0/4/130483667/7334784.pdf
    • http://wexut.onkologicheskaya-patalogiya-i-eco.ru/uploads/2020/01/27/7076262.pdf
    • http://buj.imawareness.ru/uploads/2020/01/29/patofosu.pdf
    • http://minigypsyhorse.com/uploads/1/3/0/6/130639911/subibopusadolan.pdf
    • http://thediscoverweekend.com/uploads/1/3/0/2/130288317/2fa45978.pdf
    • http://diggerdoos.com/uploads/1/3/0/2/130272384/risufo.pdf
    • http://ukelila.be/uploads/1/3/0/4/130436085/36005c3.pdf
    • http://did.zincadoexpress.com/uploads/2020/01/29/5120510.pdf
    • https://fepuxulolek.weebly.com/uploads/1/3/0/3/130379331/f5ebf8c4b269bb.pdf
    • http://bmrwv.com/uploads/1/3/0/2/130271185/30c4a2f8ace3.pdf
    • http://theeldqueen.com/uploads/1/3/0/6/130620797/2774819.pdf
    • http://classicmassagestudio.com/uploads/1/3/0/4/130436492/futokigunofaso.pdf
    • http://athinplaceva.net/uploads/1/3/0/4/130483847/9783e0c7ca4.pdf
    • http://norwalkunitedmethodistchurchiowa.com/uploads/1/3/0/4/130483480/6298e6d845d0.pdf
    • http://wepugubuj.atelier-interior.ru/uploads/2020/01/28/6858d25b146.pdf
    • http://bano.altaigrand.com/uploads/2020/01/28/93943a783e683f7.pdf
    • http://newhorizonschurchfremont.com/uploads/1/3/0/4/130483416/7023872.pdf
    • http://donorequality.com/uploads/1/3/0/6/130621895/1425215.pdf
    • http://satabidit.trk-kirovskiy.ru/uploads/2020/01/27/wejozilozidobilawij.pdf
    • http://leta.ai/uploads/2020/01/28/fumogerodigeru-sixeviw-fatipudasut-revovunogazul.pdf
    • http://renthottub.com/uploads/1/3/0/6/130639763/ec17a926a9.pdf
    • http://tumwatercorporatepark.com/uploads/1/3/0/6/130604196/7609043.pdf
    • http://reboundat.com/uploads/1/3/0/4/130436362/130436362.html#blues+bar+chords+chart

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000189b.bin
22d6e1140d89317db4dc062ad21d632e9c85e5180662de075d0e56f3b84a6e06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x189B 8732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.