Malicious PDF — malware analysis report

Static analysis result for SHA-256 b868c12d8447d654…

MALICIOUS

PDF

35.2 KB Authoring application: Mobipocket Creator
MD5: 3d5ec366f1832117c17e43439eb3bae4 SHA-1: 1af3ae2e0d1c8b9da6642e97cc22c5624b860bea SHA-256: b868c12d8447d65467b7874df7d0cf9b8bceee2044bc52a05776574b64cbb8cb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF files, indicative of a link farm designed to distribute malicious content or conduct phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file. The embedded URLs are the primary IOCs, suggesting a delivery mechanism that relies on users clicking through to compromised or malicious domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bandbautospa.social/uploads/1/3/0/6/130620601/zimilaz.pdf
    • http://nles-boutique.com/uploads/1/3/0/6/130621477/204bb8585fb.pdf
    • http://onelasttreat.org/uploads/1/3/0/6/130620327/fovopewujelulaw.pdf
    • http://www.meantrade.com/uploads/1/3/0/7/130739052/ba9a92007b.pdf
    • http://hannahhaleymua.com/uploads/1/3/0/5/130545581/ed01b8.pdf
    • http://yumeharaginga.com/uploads/1/3/0/6/130639801/2375552.pdf
    • http://www.smith1989xxx.org/uploads/1/3/0/2/130289235/54fef668cb1.pdf
    • http://britemoonmarketing.com/uploads/1/3/0/2/130287529/juwakubimilokafesulo.pdf
    • http://moabarealanduse.com/uploads/1/3/0/5/130551237/jaginuzozam_safovigutorof_kefatapa_kowimulegi.pdf
    • http://hostmaster.bryonywarnerdesigns.com/uploads/1/3/0/5/130551925/sopavor.pdf
    • http://www.stbonifacefaithformation.org/uploads/1/3/0/2/130289232/a49bf4c3a0bf92e.pdf
    • http://shopgoldnhoney.com/uploads/1/3/0/8/130814007/d9a212.pdf
    • http://artcenterla.org/uploads/1/3/0/2/130289296/nulebofowawodog.pdf
    • http://neverdonefiberfarms.com/uploads/1/3/0/2/130270869/xadesapo-rosanesus-wuxuninezuf.pdf
    • http://cloudfai.com/uploads/1/3/0/5/130547142/6378894.pdf
    • http://tiffanyhairsalon.com/uploads/1/3/0/6/130604305/povebefoja-zepomutim-wegok-tawer.pdf
    • http://cityonloc.com/uploads/1/3/0/9/130969435/130969435.html#past+tense+and+present+perfect+tense+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f6a.bin
4d66774fedfbfd249d5c7e2aecefa58d9de39d995e1b74e3cbe9215bfdee7bbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F6A 7276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.