Malicious PDF — malware analysis report

Static analysis result for SHA-256 b451dabcccfaf176…

MALICIOUS

PDF

37.8 KB Authoring application: Serif PagePlus
MD5: 6fccfd4f5251107803d6561635616af4 SHA-1: c0339665bc08b5fe9219f59e58b9d2bc5b8827b2 SHA-256: b451dabcccfaf17676b19d9fa7719dd5496ebc56c0bad4c85684df94c5ab8c62
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, a technique often used for SEO poisoning or phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious intent. The embedded document body text, though heavily corrupted, contains URLs that are part of this link farm, indicating the document's primary purpose is to redirect users to these external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://workplayplan.com/uploads/1/3/0/6/130605174/1600116.pdf
    • http://amagier.com/uploads/1/3/0/3/130313098/kosatonul.pdf
    • http://canineobserver.com/uploads/1/3/0/5/130550881/3659608.pdf
    • http://kawapikoxa.cinemacritico.online/uploads/2020/01/27/ca88c69c592de.pdf
    • http://theprofesionalgardener.org/uploads/1/3/0/4/130478760/lepusewumuvunivuvel.pdf
    • http://yourspecialchef.weebly.com/uploads/1/3/0/3/130323817/ba9ff1f8cf05.pdf
    • http://gatuzizoti.armquiz.com/uploads/2020/01/28/sibobujif_tesalideguv_kemabodod.pdf
    • http://gufata.sargarmoshka.ru/uploads/2020/01/28/7185421.pdf
    • https://xesewinav.weebly.com/uploads/1/3/0/4/130488228/b3ef13cc4.pdf
    • https://kusenuzeri.weebly.com/uploads/1/3/0/3/130323998/7128971.pdf
    • http://csbcorner.com/uploads/1/3/0/5/130543784/1027415.pdf
    • http://sozelom.medicine-times.ru/uploads/2020/01/28/219ab14c15.pdf
    • http://amberindiacatering.com/uploads/1/3/0/5/130540700/2b1c80b955196a.pdf
    • http://sshvug.com/uploads/1/3/0/4/130479123/bigavifinel.pdf
    • http://tutsovet.ru/uploads/2020/01/28/1554480.pdf
    • http://libedeses.iqnavi.su/uploads/2020/01/28/8896193.pdf
    • http://nationalfootballcheerleadersalumni.org/uploads/1/3/0/6/130640049/130640049.html#britannia+industries+balance+sheet+2016-+17

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015db.bin
b2584cf5b7fe8eb6159c00a0c884507fd6229d6bd7fb83bd57382120ba93e663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15DB 7904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.