Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab984ed1215c9d69…

MALICIOUS

PDF

35.1 KB Authoring application: pstoedit
MD5: 5c9cd61453fb1adfa02c1dcd930c2457 SHA-1: af28e0cc31b73738eceaa701e8352d319bbf8dcd SHA-256: ab984ed1215c9d69f1f4264c2afd7794d90fe1a8c08cef920022758e0e455b7e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' supports the malicious classification. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://movingmountains.services/uploads/1/3/0/4/130490399/4720452.pdf
    • http://kohai.moe/uploads/1/3/0/4/130476183/wivisegug.pdf
    • http://nawahte.com/uploads/1/3/0/7/130775628/rubawaninak.pdf
    • http://digitalsystemresearch.com/uploads/1/3/0/6/130620450/vefetolago-xabigawo.pdf
    • http://noraflum.net/uploads/1/3/0/6/130605422/tovisenuvi.pdf
    • http://musicadventure.net/uploads/1/3/0/4/130483370/6455a19d27b29.pdf
    • http://amandamayberry.com/uploads/1/3/0/6/130620184/votibe.pdf
    • https://kuzagamotakafum.weebly.com/uploads/1/3/0/3/130313087/tinefudukup_xiwafalojo.pdf
    • http://newhopeakron.com/uploads/1/3/0/3/130379311/4053451.pdf
    • http://cofse.net/uploads/1/3/0/5/130590203/a59d7b.pdf
    • http://wokejoke.com/uploads/1/3/0/6/130620865/nepofoxipulebud.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/5/130540458/a5920b76ee.pdf
    • http://cfthomas.com/uploads/1/3/0/2/130271067/130271067.html#canon+eos+utility++windows+7+india

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012df.bin
638a78e7da5c8463b1696c5a04a2ad71836bebf626e6620cc81f5361484390d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DF 8008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.