Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4c44f3ab9f77501…

MALICIOUS

PDF

47.2 KB Authoring application: Smallpdf Desktop
MD5: 7315f0790ac923ac78b6c0de833bf3b5 SHA-1: 3f23b1cea2bf8879634d3e32ad51eafa0647708f SHA-256: a4c44f3ab9f77501cb073f8992a7f0c72f5b04ace9393ffdb0457fd06ec2fa52
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF file contains a large number of external links, indicating a link farm SEO tactic. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document instructs the user to copy and paste content into a shell, which is a common method for downloading and executing further malicious payloads. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nikkiwetherellcounseling.com/uploads/1/3/0/2/130272978/7332a18473cae0.pdf
    • http://nrttourscentre.com/uploads/1/3/0/3/130313299/1936437.pdf
    • http://sanstuticlasses.com/uploads/1/3/0/6/130604523/f92e84736e2152.pdf
    • http://www.omegafit.ca/uploads/1/3/0/7/130776088/2d39cf1ed4.pdf
    • http://grantdigitalmedia.com/uploads/1/3/0/5/130589098/wuwaw.pdf
    • http://college4u2018.org/uploads/1/3/0/5/130544134/zowixujerepanaw-danabizamili.pdf
    • http://little-blossom-boutique.com/uploads/1/3/0/7/130775831/b3e39214274d.pdf
    • http://neufeldvolk.com/uploads/1/3/0/4/130476318/kivumipasamadomilox.pdf
    • http://www.atlweddingstylist.com/uploads/1/3/0/6/130621388/8365548.pdf
    • http://www.themordipost.com/uploads/1/3/0/7/130776208/3932850.pdf
    • http://webdisk.ancientcitycustoms.com/uploads/1/3/0/4/130476587/8378569.pdf
    • http://nyclanguageinstitute.com/uploads/1/3/0/2/130270889/fuvuwe.pdf
    • http://carpetcleancary.com/uploads/1/3/0/7/130740391/130740391.html#kali+linux+useful+commands

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e80.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E80 16036 bytes
font_01_sfnt_off00005297.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5297 2600 bytes
font_02_sfnt_off00005ea4.bin
e937414349f586af5d86977cb9f3efda553fb5ba59dc695ba43914a5ef360b39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA4 8560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.