Malicious PDF — malware analysis report

Static analysis result for SHA-256 acd1b221c35fe447…

MALICIOUS

PDF

38.1 KB Authoring application: Adobe PDF Library 9.0
MD5: 817cd5832baa1e3a403c186bfd4baf95 SHA-1: 759fa31f3358423137696e42fed95389753bca88 SHA-256: acd1b221c35fe447954f6cca01876489cd44a28e1f64b0c9daa3422b7dec3edd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body itself is heavily obfuscated and does not provide clear intent beyond the embedded URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stephan-orth.net/uploads/1/3/0/4/130491418/69785.pdf
    • http://brewandplowfarm.com/uploads/1/3/0/5/130590140/3188318.pdf
    • http://missprisstea.com/uploads/1/3/0/4/130483863/e7c5a3f2.pdf
    • http://10ten.com.au/uploads/1/3/0/5/130547527/4480670.pdf
    • http://suemoraes.com/uploads/1/3/0/7/130775358/ludazewo-tezonogimuv.pdf
    • http://moversinmiami.net/uploads/1/3/0/7/130775257/vosijiduwavig_kefiwi.pdf
    • http://liviace.me/uploads/1/3/0/4/130483737/givado.pdf
    • http://hcred.org/uploads/1/3/0/4/130489359/9783525.pdf
    • http://ardmorevetservices.com/uploads/1/3/0/4/130479472/7b9bc4.pdf
    • http://chupacandelabra.com/uploads/1/3/0/7/130739889/xenozidukabum.pdf
    • http://projectrsvp.com/uploads/1/3/0/2/130291499/tidotigododewuz_rowot_kuganakedaxego.pdf
    • http://digi-done.com/uploads/1/3/0/3/130324192/loxowuvuvu_sijavuzijonativ_gimikupefux.pdf
    • http://amzengine.com/uploads/1/3/0/5/130551264/dumotozaxuli.pdf
    • http://naaboard.com/uploads/1/3/0/4/130489172/a6bca8bce18d2.pdf
    • http://74-123-75-144.mgwnet.com/uploads/1/3/0/6/130604580/vijumotowixigi.pdf
    • http://clarionbobcatfootball.com/uploads/1/3/0/2/130289746/xiletikikiduj-duvekuvokipaji-noponevegidafe-wivomu.pdf
    • http://jizhoudaoduchangcns.br3h.com/uploads/1/3/0/7/130776122/130776122.html#left+neck+lymphadenopathy+icd+10

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a48.bin
dbca7a493f5d3f4a18e76f62b765cd61140f753158df33f3a43beeb46f5d72c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A48 7616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.