Malicious PDF — malware analysis report

Static analysis result for SHA-256 b769504fbf021548…

MALICIOUS

PDF

36.0 KB Authoring application: SWFTools
MD5: 6f36290b2f8b9d05d39b230e77ca211f SHA-1: 095594a7e04abd10a7683de1c1d162ef34e2ee8f SHA-256: b769504fbf021548a83eeb019a6d728c2c9d3675de3203df4712cacc48fcb245
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The embedded URLs likely lead to phishing or malware distribution sites, aiming to redirect the user to a malicious payload. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lemons4u.com/uploads/1/3/0/8/130874124/nagaxapilo-busejefojofujis-buvamupu-zonazo.pdf
    • http://ksiegowy-tychy.pl/uploads/1/3/0/6/130639438/551979c97146a5a.pdf
    • http://corollaoceanfront.com/uploads/1/3/0/6/130603860/voladamivemujol.pdf
    • http://dyrphotography.es/uploads/1/3/0/6/130621964/gumejaxudikawov-wiluba-sogarebedazu.pdf
    • http://www.dynamicresn.com/uploads/1/3/0/5/130538990/7e02b2871860d8.pdf
    • http://www.bslowracing.com/uploads/1/3/0/4/130476040/449174.pdf
    • http://legacytie.com/uploads/1/3/0/6/130604502/e3f1903.pdf
    • http://d-jedi.com/uploads/1/3/0/8/130874192/d9d1b81a14a862.pdf
    • http://empresstaxi.com/uploads/1/3/0/6/130639486/wokeralefuwol.pdf
    • http://unblessed28.goteamonline.com/uploads/1/3/0/6/130603779/692420f70b044f0.pdf
    • http://www.milescontractingak.com/uploads/1/3/0/2/130272415/1806689.pdf
    • http://www.epspropsolution.com/uploads/1/3/0/7/130776854/dekufoxurowevom.pdf
    • http://sanctuaryjacksonhole.com/uploads/1/3/0/8/130874633/veguji_pikaxet_libonokirut_nuvupapesezav.pdf
    • http://andrewcecookephotography.ca/uploads/1/3/0/3/130323603/kolazawumaba.pdf
    • http://clogdancing.mobi/uploads/1/3/0/3/130323120/e7d701.pdf
    • http://totallydreams.com/uploads/1/3/0/6/130621043/130621043.html#business+vocabulary+builder+intermediate+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003223.bin
0404cf72fa44e09fd64b5f645344ea8aacfb9fbfb06eacd42671f3b0f21d084e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3223 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.