Malicious PDF — malware analysis report

Static analysis result for SHA-256 a27688f6a0d7e502…

MALICIOUS

PDF

35.1 KB Authoring application: Serif PagePlus
MD5: bf390e6d57588045600352f045ad7663 SHA-1: 95d8065a5830232cf64aad4c3320dfa3f98ccabc SHA-256: a27688f6a0d7e502f59443ffcd8f1066f40b1e9e618ae63263a12820366bb068
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The document body, though heavily obfuscated, contains numerous URLs pointing to PDF files, suggesting a phishing or redirection attempt. The primary intent appears to be to direct users to download further malicious content via the extensive link farm.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mydbcommunity.com/uploads/1/3/0/5/130588688/5910237.pdf
    • http://national-energy.us/uploads/1/3/0/6/130620973/5430135.pdf
    • http://shopraebtq.com/uploads/1/3/0/2/130289809/1495906.pdf
    • http://audio4n6.com/uploads/1/3/0/3/130323196/12a7961f.pdf
    • http://nicklibonati.com/uploads/1/3/0/6/130621044/wupewoxawaludanaxa.pdf
    • http://knoxfoodtours.com/uploads/1/3/0/5/130542908/lezerox.pdf
    • http://newwavecarpetandtile.com/uploads/1/3/0/6/130620490/5997790.pdf
    • http://larisamanescu.com/uploads/1/3/0/6/130620863/wivemonevu.pdf
    • http://sthfromnth.com/uploads/1/3/0/2/130270777/gimedeza-vuvupewafis-xudegupovawi-gomifazowabexe.pdf
    • http://americanshomer.com/uploads/1/3/0/6/130604996/d7e8e8f3df.pdf
    • http://mvsdcurriculum.weebly.com/uploads/1/3/0/2/130289392/7eeac40dd00f52.pdf
    • http://561sixthave.com/uploads/1/3/0/4/130489563/pukab_riragidu.pdf
    • http://carlamaebailey.com/uploads/1/3/0/5/130588221/sedawizara_geven.pdf
    • http://gasuwide.detskepovidky.com/uploads/2020/01/28/fc0a20c.pdf
    • http://katdar.net/uploads/1/3/0/5/130588749/2f9f9.pdf
    • http://drperryslp.com/uploads/1/3/0/5/130543663/2777185e.pdf
    • http://trytoberich.com/uploads/2020/01/28/lokigetalari.pdf
    • http://akasharae.com/uploads/1/3/0/6/130604877/74d4cfbb9e3.pdf
    • http://nawojo.e7ernall.pw/uploads/2020/01/28/a2ae275016.pdf
    • http://benkregel.com/uploads/1/3/0/5/130589412/130589412.html#mast+magan+song+download+mp3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001518.bin
1f9e4f3a1b07ee398ab7e08609dd91684149bb0e8faba1b27042100439068150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1518 7884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.