Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae0d9eb6883b394c…

MALICIOUS

PDF

39.7 KB Authoring application: Inkscape
MD5: 7dc3edec1024100c6b4c239cdb32db9a SHA-1: d43fc8dbcb0660c245ecef1671f66c15dea1e51c SHA-256: ae0d9eb6883b394cb33a9420f8b3ac524d061cd207352d57af5d43505955acf2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://racks4retail.com/uploads/1/3/0/6/130620313/2913442.pdf
    • http://inside-the-distance.net/uploads/1/3/0/7/130776257/lumitijasefunepi.pdf
    • http://novomancy.net/uploads/1/3/0/7/130739373/sigufetezamiwuxu.pdf
    • http://toprestaurantreviews.com/uploads/1/3/0/7/130776158/vuwifedazanod.pdf
    • http://woodstreamga.com/uploads/1/3/0/4/130491699/4c6d3370c85a71b.pdf
    • http://concretedaydreams.com/uploads/1/3/0/8/130814337/wegekuvojomofo.pdf
    • http://aribahat.com/uploads/1/3/0/3/130323998/vusozu.pdf
    • http://nicholsonartworks.com/uploads/1/3/0/7/130776066/jevivapelakedax-padisup.pdf
    • http://www.for-sale-by-owner-cars.com/uploads/1/3/0/5/130539182/9915406.pdf
    • http://www.thepremiumconcierge.com/uploads/1/3/0/5/130590111/wufesan.pdf
    • http://tsansdfs.com/uploads/1/3/0/4/130483279/1794527.pdf
    • http://www.thetreedetectives.com/uploads/1/3/0/7/130739155/zafoluva-dobosufiwiwub-wufavuvitabusa.pdf
    • http://joannajensen.shop/uploads/1/3/0/8/130814605/dudasovof.pdf
    • http://musicwithjojo.com/uploads/1/3/0/7/130739592/zisudeto.pdf
    • http://cpanel.freedomaeronautics.com/uploads/1/3/0/4/130489240/8b5eb6b.pdf
    • http://www.musicacademyacadiana.net/uploads/1/3/0/7/130739268/877c5ae.pdf
    • http://lacontagroup.com/uploads/1/3/0/8/130814680/8202b03fc61fada.pdf
    • http://lapiedradelsol.com/uploads/1/3/0/8/130814021/8165102.pdf
    • http://mkefacepaint.com/uploads/1/3/0/7/130776801/7948137.pdf
    • http://dasmutterschiff.de/uploads/1/3/0/6/130605193/2665269.pdf
    • http://www.madeline-wimmer.com/uploads/1/3/0/7/1307

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031f0.bin
21c081c601f7a9d922326fd9cdb817eddda87ef78f5e69df0eeec30a56cc2ccd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31F0 4324 bytes
font_01_sfnt_off000041f1.bin
ce65c704f1ac7f2b9e181cfc43ce28f396364edd4e75764480ff5e19faf218a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41F1 7636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.