Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6d6950e47079a61…

MALICIOUS

PDF

38.3 KB Authoring application: Soda PDF
MD5: 780174325d21d41a2497131c75b6bce2 SHA-1: 2aacd2175469fadd4bd8a697d957db919d9585ab SHA-256: a6d6950e47079a61d140dc84269f9458cd2683cc3a1f58e729e6f0be1cc5c0d3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment

The PDF file contains a large number of external links, many of which point to other PDF files, indicating a link farm for SEO or malicious redirection. The document body explicitly instructs the user to install a browser extension or update, a common social engineering tactic. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports the phishing and redirection nature of this document. The primary intent appears to be luring users to malicious sites or tricking them into installing potentially harmful software.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whatthesaintsknew.org/uploads/1/3/0/5/130551477/nepogopufipojak.pdf
    • http://disruptioneer.com/uploads/1/3/0/5/130590026/1510182.pdf
    • http://kugidewogi.avukatbeyiniz.com/uploads/2020/01/27/753065ac8e.pdf
    • http://sar-svet.ru/uploads/2020/01/27/bf16b7935e.pdf
    • http://mysuccesstraining.com/uploads/1/3/0/6/130639972/6396698.pdf
    • http://97litefm.com/uploads/1/3/0/6/130620962/xobijajipa.pdf
    • https://turufevi.weebly.com/uploads/1/3/0/3/130380084/nebibuse.pdf
    • http://4dfreedom.org/uploads/1/3/0/6/130604488/xezokup_lekib_jilubajawase_radipufazi.pdf
    • http://miamipwcparts.com/uploads/1/3/0/6/130639651/zuzizawo-kitevuvuwabuza.pdf
    • https://sediwurejodor.weebly.com/uploads/1/3/0/4/130483507/xiberowodawupixer.pdf
    • http://warren.capetown/uploads/1/3/0/5/130550971/rapodex_fuguzusivawuji_panunigo.pdf
    • http://myshop15.site/uploads/2020/01/27/d87459cc533e85.pdf
    • http://oakclass.com/uploads/1/3/0/5/130543402/130543402.html#sap+bw+application+migration+to+hana

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013a0.bin
01a23d1324ec8069cac42e709a1a4a9b460f5c4d61a33b1bacddd5fa8c5a587c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A0 8856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.