Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa7a7468225df2f7…

MALICIOUS

PDF

37.0 KB Authoring application: ImageMagick
MD5: 448027c1f203ed0c92313448622a2a8b SHA-1: 99348748f4869054dcecff14677152ade2dd4037 SHA-256: aa7a7468225df2f7bf7bfe3c2855cdfb5bba13fae847b2d95a7fce2e280c3df0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a coordinated effort to distribute malicious content or phish users. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports the malicious nature of the file. No scripts were extracted from this sample, and the document body contained mostly garbage data.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adeletreasures.com/uploads/1/3/0/6/130639121/wakobitug-vodunivora.pdf
    • http://agm91.icu/uploads/2020/01/29/f045591b7feef5.pdf
    • http://vipvegastours.com/uploads/1/3/0/6/130620274/jadazotinolumuz.pdf
    • http://philjeremypersonaltraining.com/uploads/1/3/0/6/130605405/0286185c61d3ca.pdf
    • http://bucketsofbrassandcopper.com/uploads/1/3/0/6/130639306/damisule.pdf
    • http://a1412531xstreamtravel.xsideas.com/uploads/1/3/0/6/130604528/130604528.html#bernhardt+hamlet+script+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a5.bin
c5eff2a2b218969b020b837d2c17e6772eda41911274ea649f41f2150bd051b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A5 8172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.