Malicious PDF — malware analysis report

Static analysis result for SHA-256 b13aa2e512e1ebbd…

MALICIOUS

PDF

121.9 KB Authoring application: Solid Converter PDF
MD5: e065c99d553cb15532116912e9f9b2b1 SHA-1: 07d84934cd74145e7d2c77bba239473af5074e76 SHA-256: b13aa2e512e1ebbdd4489f04d12058bcd42228a7cc045d2913b18cf4d9854718
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The SE_LOLBIN_RUN_COMMAND heuristic indicates the presence of instructions that likely involve Windows execution tools. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. The primary attack pattern involves directing users to a vast network of external PDF files, potentially for phishing or malware distribution.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nova-distribution.eu/uploads/1/3/0/9/130969200/1857947.pdf
    • http://preparedmealstogo.com/uploads/1/3/0/6/130621895/sexakezurab.pdf
    • http://learnmormonfacts.com/uploads/1/3/0/7/130738715/7d5427f6eb.pdf
    • http://karimlemec.it/uploads/1/3/0/6/130620412/jasuzofixiva.pdf
    • http://pyrowinecellars.com/uploads/1/3/0/4/130483795/4190410.pdf
    • http://blockchain.security/uploads/1/3/0/6/130620478/55d0e2e4359d6.pdf
    • http://desertmountainrental.com/uploads/1/3/0/7/130739907/pelogowuwugizo.pdf
    • http://semeionmarketing.com/uploads/1/3/0/8/130814423/ddf25640c57.pdf
    • http://phoenixtech.biz/uploads/1/3/0/2/130289649/3afe363f0872.pdf
    • http://hottcoffee.live/uploads/1/3/0/2/130291493/a047adebf.pdf
    • http://noreenhughes.com/uploads/1/3/0/4/130435943/lejajufidem-tipisamojux-zumubavabu.pdf
    • http://taradaav.com/uploads/1/3/0/6/130604034/zaxoge.pdf
    • http://makingmusicmodular.com/uploads/1/3/0/6/130603932/jexidok.pdf
    • http://monolithcomputing.com/uploads/1/3/0/2/130291585/lelumad.pdf
    • http://kerrylindner.net/uploads/1/3/0/2/130272083/dc0fb044bd4.pdf
    • http://linden58.pleasingfood.com/uploads/1/3/0/5/130551562/130551562.html#seizure+symptoms+wikipedia

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c72.bin
868aac0057515e358d9c0e87e72090abdb83c02b60295eb9d9dd277d5a056a04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C72 9536 bytes
font_01_sfnt_off0000fd33.bin
66228b287bfafcabfbc68a35f1a3341d2566c84f3f64b6372cca4f6b2550dbe8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD33 5456 bytes
font_02_sfnt_off00010d2c.bin
c81131162d985c9d28dd86c513b25fb75191b2b8272011354c9e8f2db2c42fab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2C 16580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.