Malicious PDF — malware analysis report

Static analysis result for SHA-256 a56c9e988282c770…

MALICIOUS

PDF

57.3 KB Authoring application: Scribus
MD5: 7cedd7b5eb3d3538f967a6e022a0b9d3 SHA-1: 586d78efec0d1033f9bcfe19f929e81b68a33945 SHA-256: a56c9e988282c7705f2be15e660216fe4ddec43cc26e3261f740c6d8fecccb47
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits characteristics of a link farm, with numerous embedded URLs pointing to other PDF documents. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic redirection intent. The document body contains garbled text and some of the URLs, indicating a potential attempt to disguise malicious content or manipulate search engine results.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lahomedeco.tw/uploads/1/3/0/4/130478160/xaxiloxa-pisobefuroxaras.pdf
    • http://eastcoastspeedwaytv.com/uploads/1/3/0/6/130603715/binozemidisagipum.pdf
    • http://bugidobiw.sar-svet.ru/uploads/2020/01/28/vefopezazi.pdf
    • https://kifekenodoludux.weebly.com/uploads/1/3/0/5/130539235/3416cda7c121d6f.pdf
    • http://zemedotut.metrika.agency/uploads/2020/01/29/nebosowixitajojob.pdf
    • http://justbringbaby.com/uploads/1/3/0/4/130477152/kepupiji.pdf
    • https://gepifemekin.weebly.com/uploads/1/3/0/6/130603676/tafajajuvojapegop.pdf
    • https://burorese.weebly.com/uploads/1/3/0/5/130588858/64773bbdc8ce5.pdf
    • https://zijisifuxavubel.weebly.com/uploads/1/3/0/5/130543093/gefurorarupaned.pdf
    • http://kcranchllc.com/uploads/1/3/0/5/130588337/feduk_burularisogel_wuwifoxizax_faben.pdf
    • http://roguewanderer.com/uploads/1/3/0/2/130271217/9dbe0658f8.pdf
    • http://abbehhc.com/uploads/1/3/0/6/130604179/newurademima.pdf
    • http://lopunida.skazkashow.ru/uploads/2020/01/28/debosu.pdf
    • http://bandcimages.com/uploads/1/3/0/5/130550969/nuforon.pdf
    • http://mojavechamber.org/uploads/1/3/0/6/130621015/4546790.pdf
    • http://loskuatro20decalifornia.com/uploads/1/3/0/2/130272606/130272606.html#commandos+2+game++full+version+pc

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001647.bin
9e85812d6d9fec1e9409a8a4b2c4cb207475788a1b8693fd052d794ea7cb17df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1647 10208 bytes
font_01_sfnt_off00008625.bin
27aad4e7100ae85831cc1a9cf4859e84521ff6b1ee9ac199fa10e6c4d4b25dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8625 2736 bytes
font_02_sfnt_off000090e4.bin
cc72d3baf69dc41c7fad59fb6b08bd11310b942a16511d10294576796acefa94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90E4 23856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.