Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4b0c4cc9c535800…

MALICIOUS

PDF

34.2 KB Authoring application: Inkscape
MD5: 851154a0ecfe91dd886fdd1f62868a7b SHA-1: 769a57ca9da6f2fcc4ee0fe6c295fa81534b03a0 SHA-256: a4b0c4cc9c53580092a0d02762e68e014c8dd77aef3e936c6fa8a5ab6b385d5b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm or redirection scheme, commonly used for phishing or distributing further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theprincipalentrepreneur.com/uploads/1/3/0/2/130289653/7b8ebd53.pdf
    • http://kanigipire.holidayandpackage.com/uploads/2020/01/28/liwupoxerizipup.pdf
    • http://bingscatering.net/uploads/1/3/0/4/130491757/deviguradubinobud.pdf
    • http://s-w-p.org/uploads/1/3/0/4/130483990/nadegajodu-voxodipo-lizejeragipawa-kizekizu.pdf
    • http://nutritionrxllc.com/uploads/1/3/0/6/130620185/fisokufelinu-dimipeniniwug.pdf
    • http://lilyhockcreations.com/uploads/1/3/0/4/130488934/bidodizigov.pdf
    • http://upperhunterfreshmeals.com.au/uploads/1/3/0/5/130551256/gevuxomilidikuf-jamemanoxo.pdf
    • http://reliablelimoja.com/uploads/1/3/0/2/130287401/fad4f.pdf
    • http://cectcapecod.com/uploads/1/3/0/2/130289668/f669d5195.pdf
    • https://xopaxutozuwox.weebly.com/uploads/1/3/0/4/130435987/kopojivi.pdf
    • http://chicagolatexproducts.com/uploads/1/3/0/6/130604923/7ee21c44.pdf
    • http://ne-surgerycenter.net/uploads/1/3/0/6/130639861/130639861.html#action+words+worksheets+for+grade+1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001493.bin
8126157706c13633420734f70e1eaddf666047b573f60a2964b65547b4c45af0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1493 7952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.