Malicious PDF — malware analysis report

Static analysis result for SHA-256 b34b48c32b19d052…

MALICIOUS

PDF

45.9 KB Authoring application: Scribus
MD5: 8211d8495252b04bccd5e1b7941d103a SHA-1: 709a8dcf7ca1a71bb844e2bc5e6cb6a081669abd SHA-256: b34b48c32b19d0521753b893f8262599d13d9680c0c6265a225ffb367e64956b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or redirection scheme. This is consistent with phishing or malware distribution tactics. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rosslerfit.com/uploads/1/3/0/9/130969759/rujapibulomeg.pdf
    • http://limoservice247.com/uploads/1/3/0/3/130313458/7f8a225f06202.pdf
    • http://theludditepress.com/uploads/1/3/0/3/130323148/zulewokif.pdf
    • http://loveandadog.net/uploads/1/3/0/2/130270904/e3b018c0128dc.pdf
    • http://demandwork.com/uploads/1/3/0/5/130589279/d2504e3.pdf
    • http://healthywaymagazine24.club/uploads/1/3/0/3/130312980/9620069.pdf
    • http://mooseandmagpiefarm.com/uploads/1/3/0/6/130639924/ca6984c906f3.pdf
    • http://nlwatercolor.net/uploads/1/3/0/5/130588261/76b47e8.pdf
    • http://crystalcrones.com/uploads/1/3/0/4/130490410/xoxidofivido_nutuwe_mewogikigem.pdf
    • http://lmhomesolutions.com/uploads/1/3/0/6/130621998/vepedo.pdf
    • http://2ndfromthesun.com/uploads/1/3/0/6/130639797/semiselavef_rezaf.pdf
    • http://hostmaster.maison-argein.info/uploads/1/3/0/2/130291624/fc228c0d2be3dbd.pdf
    • http://thelegalmastermind.com/uploads/1/3/0/7/130775679/9749941.pdf
    • http://www.greenbase.kiwi/uploads/1/3/0/2/130289305/3062189.pdf
    • http://fionawalters.com/uploads/1/3/0/7/130738989/kufukenetad_potejofuzirov_folakimododub.pdf
    • http://propertiesbypaula.com/uploads/1/3/0/3/130313098/022c152d5a.pdf
    • http://wyomingvalleymedical.com/uploads/1/3/0/4/130476940/b20f7ed6.pdf
    • http://marcellastraub.com/uploads/1/3/0/4/130493893/4577470.pdf
    • http://holypost.mobi/uploads/1/3/0/5/130552016/kodit.pdf
    • http://qor.kz/uploads/1/3/0/8/130814421/8359126.pdf
    • http://www.hayleystables.com/uploads/1/3/0/3/130312934/992619.pdf
    • http://55myz.bpmtc.com/uploads/1/3/0/7/130776826/130776826.html#ashi+acls+test+answers
    • http://limoservice247.com/uploads/1/3/0/3/130313458/7f8a225f06202.pd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046a1.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46A1 2600 bytes
font_01_sfnt_off0000525f.bin
62301acff5703900601fe15c4c4968f2fae25bfb28fb031fc0f2357f248385f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x525F 8348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.