Malicious PDF — malware analysis report

Static analysis result for SHA-256 b401259af94309bd…

MALICIOUS

PDF

39.4 KB Authoring application: Smallpdf Desktop
MD5: 7ebb9577fbdcfeb0d0e8a1d7f6af29fb SHA-1: dc435931c334b4b58ad073af2f3819e7a82249ba SHA-256: b401259af94309bd4a0a5262b0c36958cf075d9d56e95e0a80903f1a9b8f8a1f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or redirection mechanism. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The embedded URLs are the primary indicators of compromise.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mrshkwkh.co.uk/uploads/1/3/0/7/130775593/jenuxawatugenu.pdf
    • http://waelk.net/uploads/1/3/0/8/130814052/02e3566030607.pdf
    • http://suffolkchimneyliners.co.uk/uploads/1/3/0/6/130620478/4543899.pdf
    • http://mistresswidow.com/uploads/1/3/0/6/130605229/sibufepowox_xorufitinevagam_bovekakofifur_zogaros.pdf
    • http://lunchbox-gourmet.com/uploads/1/3/0/4/130436130/bijura-bewebek.pdf
    • http://www.frantasautocare.com/uploads/1/3/0/5/130551229/ad8e7478cd4318d.pdf
    • http://epiphanrentals.com/uploads/1/3/0/7/130775247/2289127.pdf
    • http://hostmaster.paolacantachin.com/uploads/1/3/0/5/130588651/wazureb.pdf
    • http://autodiscover.brandtmarineinc.com/uploads/1/3/0/5/130588239/7507154.pdf
    • http://nickchaves.com/uploads/1/3/0/3/130379272/sazavagupe.pdf
    • http://www.amazingpuppiesgarden.com/uploads/1/3/0/5/130589251/984d9d101dcb.pdf
    • http://polymergroup.net/uploads/1/3/0/3/130379164/2593813.pdf
    • http://originalraiders.us/uploads/1/3/0/7/130776149/rekomanow.pdf
    • http://usanewbiology.com/uploads/1/3/0/8/130815381/3555708.pdf
    • http://hiredhospitality.com/uploads/1/3/0/4/130479082/lovowoxog.pdf
    • http://hostmaster.ahistoryofno.com/uploads/1/3/0/2/130288421/sorolarebipuseda.pdf
    • http://jonijohnston.com/uploads/1/3/0/6/130604979/xerusoreparigupexid.pdf
    • http://mmjbookkeeper.com/uploads/1/3/0/2/130272477/vejexuvidapo_ninugobi.pdf
    • http://smplife.biz/uploads/1/3/0/9/130969521/4e0eec29e100528.pdf
    • http://lanternpartners.net/uploads/1/3/0/7/130738988/412973.pdf
    • http://64-160-90-245.pacific-solutions.com/uploads/1/3/0/5/130539584/2e705ad.pdf
    • http://creatables.ca/uploads/1/3/0/6/130621205/8672776.pdf
    • http://eygcosmetics.com/uploads/1/3/0/6/130604511/8932050.pdf
    • http://74-123-76-193.mgwnet.com/uploads/1/3/0/6/130639310/130639310.html#recommendation+letter+for+student+worker
    • http://autodiscover.brand

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036db.bin
0eeaf3e625a5ffc27df7bda097117736ce9844369a658b3a36ba93410fc62e8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36DB 8100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.