Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1e22c5f77c7a316…

MALICIOUS

PDF

45.1 KB Authoring application: pstoedit
MD5: 6d610a3425d6013fd0ef6bfb75a80325 SHA-1: 4e4d2198ed3441d039539acf73e5c15e9b534f32 SHA-256: a1e22c5f77c7a3166dfd32fbb5fbc1e813ce675cddbd14d5c1f4e33cf5913b9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, which are designed to redirect users to malicious PDF files. The ClamAV detection further confirms its malicious nature. The document body, though partially corrupted, suggests a lure related to a training manual, likely to trick users into clicking the deceptive links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sthfromnth.com/uploads/1/3/0/6/130604532/fexozaxadabeduvedir.pdf
    • http://rockthecatspa.us/uploads/1/3/0/2/130270990/3564737.pdf
    • http://metamorphosisinblack.net/uploads/1/3/0/5/130544384/dafozimarexajunakut.pdf
    • http://angelavinson.com/uploads/1/3/0/2/130272234/1017314.pdf
    • http://mimundo.pl/uploads/1/3/0/6/130604250/nivenovibobazek.pdf
    • http://www.barrapayan.com/uploads/1/3/0/5/130588810/7af23c3e8.pdf
    • http://simpletomatoes.com/uploads/1/3/0/6/130640219/83b854ec9ec9529.pdf
    • http://exitplanningcollaborative.com/uploads/1/3/0/4/130435711/ff4f85f.pdf
    • http://kq7q.com/uploads/1/3/0/5/130589297/ravelil-gukelaxaxana-tutatunobud-vegizunen.pdf
    • http://norecordsnobs.com/uploads/1/3/0/8/130814177/menipajurifof-namexuxe.pdf
    • http://diceandwhatever.com/uploads/1/3/0/7/130740492/rumaronoxuz.pdf
    • http://motivationalresearch.org/uploads/1/3/0/7/130775845/vodetowujiraz_patalododekepu_bawide_bajuvafipepija.pdf
    • http://shalafreeman.com/uploads/1/3/0/5/130543682/2298e091.pdf
    • http://premierluxurymarketingconsultant.com/uploads/1/3/0/2/130288402/firijuwipiku_dozepuk.pdf
    • http://www.marbeduke.com/uploads/1/3/0/7/130776673/4548990.pdf
    • http://jblackbird.net/uploads/1/3/0/7/130739831/xosulobuweril.pdf
    • http://relaymobile.us/uploads/1/3/0/6/130604459/refosoxuv-puwasikof-pujozul-datorekevajexog.pdf
    • http://alohastudionh.com/uploads/1/3/0/7/130739015/finarab.pdf
    • http://abcbienesraices.com/uploads/1/3/0/7/130739048/zumix.pdf
    • http://74-123-72-189.mgwnet.com/uploads/1/3/0/4/130488197/130488197.html#training+manual+hypertensive+disorders+in+pregnancy+2018

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051d7.bin
ce6844a22d7ac8539b3cfa2cb9abd56a02f17aaca2b93d6bc3d1624176935423		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51D7 8020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.