Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3f2a5df260ea4b6…

MALICIOUS

PDF

42.8 KB Authoring application: Soda PDF
MD5: 3fe184129d3cdbcab29cd7d96bdcbb58 SHA-1: 46d99f9233333e90a5ba5a8b7970faf9de912925 SHA-256: b3f2a5df260ea4b6090365697f24f004708532705ddd41e0e27eed938808b6ec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection also flags this as a phishing-related threat. The document body, though partially corrupted, contains references to academic subjects, suggesting a lure to disguise the malicious link distribution. The primary attack pattern involves directing users to a network of external PDF files, likely for SEO poisoning or to host further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://porterforcanton.com/uploads/1/3/0/6/130620367/1549468.pdf
    • http://nothernlotusayurveda.com/uploads/1/3/0/3/130379252/802917.pdf
    • http://nanoquests.com/uploads/1/3/0/6/130620947/laxezifam-ludefuduges.pdf
    • http://wez.diba-konto.com/uploads/2020/01/28/f4b32a70ff.pdf
    • http://moderndaymira.com/uploads/1/3/0/6/130621195/ziviwelafodo_miduvimurumorit_wejez_tesopunufumu.pdf
    • http://deannalindstrom.com/uploads/1/3/0/5/130544889/a8ca8.pdf
    • http://rembytteplo.ru/uploads/2020/01/27/fivobe_gimaripubixabu_zuxatikizikigam.pdf
    • http://viewmic.com/uploads/1/3/0/6/130621298/7894574.pdf
    • http://pholi.net/uploads/1/3/0/3/130323449/pixoropejesirazi.pdf
    • http://windrosecontabil.com/uploads/1/3/0/4/130483799/ab550295f.pdf
    • http://woodlandelementarycoachhughes.com/uploads/1/3/0/5/130541073/fekifoli-sakigenojuraziz-fogiga.pdf
    • http://nethanelhunting.co.za/uploads/1/3/0/6/130639333/darinolema.pdf
    • http://cyclebavaria.com/uploads/1/3/0/2/130287932/130287932.html#apex+algebra+1+semester+2+pretest+answers

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013d0.bin
a8876830aa3cf9e2950917d353c2b99857f9f85d6439b1c36db958968b1d4dab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D0 9088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.