PDF malware analysis — malicious · a6f842b803ce638e

MALICIOUS

PDF

38.6 KB Authoring application: PDFBox

MD5: 790542933a871ada7b300dbbe83746f5 SHA-1: 318823063f983d0c11740e70be952114e6c04e1c SHA-256: a6f842b803ce638e3134b5684d45b8e405d522875da8bb1ed0e074965e7b3fdf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious PDF files, as indicated by the 'PDF_SEO_LINK_FARM' heuristic and the numerous embedded URLs. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature. The document body, though partially corrupted, mentions 'Ambush marketing in the olympics', suggesting a lure to disguise the malicious intent. The primary attack pattern involves tricking users into downloading further malicious content.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://perthcleaningservice.com/uploads/1/3/0/6/130604923/sadusufi.pdf
- http://brentlanier.net/uploads/1/3/0/6/130604601/a38af32ae4.pdf
- http://shawsautodetail.com/uploads/1/3/0/8/130813948/finisa_tuxokibigik_rimezugamogego.pdf
- http://www.gourmetgames.ca/uploads/1/3/0/5/130540869/nufim_rowijikumegemu_nuxux_gemumogezezu.pdf
- http://sigroymusic.com/uploads/1/3/0/4/130489044/lemimiridizevax-getos-juziviwuluf.pdf
- http://theremeproject.com/uploads/1/3/0/4/130435875/kexotop.pdf
- http://beautykonstanz.com/uploads/1/3/0/4/130483260/13e906768.pdf
- http://michellerodesinteriors.com/uploads/1/3/0/2/130287842/lafirizedejifofuwuza.pdf
- http://www.shoplennons.com/uploads/1/3/0/2/130274305/depajoxe-wivizu-fudetozu-kojetaw.pdf
- http://azmakeupbyhannah.com/uploads/1/3/0/3/130379522/zotezoxip.pdf
- http://www.staygraceful.us/uploads/1/3/0/7/130739076/2543422.pdf
- http://theamznvincisystem.com/uploads/1/3/0/5/130546076/wazanis_falut_vipemigid_mobugot.pdf
- http://cubewarriors.com/uploads/1/3/0/8/130814007/tovevuzabaxat.pdf
- http://wileybrands.com/uploads/1/3/0/8/130814216/1584429.pdf
- http://themiraclediet.org/uploads/1/3/0/6/130604561/894330.pdf
- http://hostmaster.chinoyouthmuseum.com/uploads/1/3/0/4/130476208/fusebeku-kanupowupa.pdf
- http://webdisk.q-four.com/uploads/1/3/0/6/130640142/bizuwororixa.pdf
- http://juridicorapido.com/uploads/1/3/0/6/130639540/9038444.pdf
- http://mndball.com/uploads/1/3/0/6/130620803/debca56.pdf
- http://crafterafterhours.com/uploads/1/3/0/8/130813652/9583227.pdf
- http://created4youfoods.com/uploads/1/3/0/8/130815381/4329374.pdf
- http://keeley-smith.com/uploads/1/3/0/6/130605501/cc5d38759.pdf
- http://suprememicah.com/uploads/1/3/0/6/130621194/a337835fe.pdf
- http://aufourcatering.com/uploads/1/3/0/2/130287428/4864161.pdf
- http://74-123-77-218.mgwnet.com/uploads/1/3/0/2/130289172/130289172.html#ambush+marketing+in+the+olympics
- http://themiraclediet.org/uploads/1/3/0/6/130604561/89

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000032fe.bin` `ba0434af256919c4e15ef3b0c1215010a43e23e2cbf2a3f3da999dcf75c5c52e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x32FE	8084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.