Malicious PDF — malware analysis report

Static analysis result for SHA-256 b947544e839ef8fc…

MALICIOUS

PDF

54.0 KB Authoring application: Soda PDF
MD5: 3bfcbdd33cb6e0f5afd201979709ce92 SHA-1: 6971523d5c90a3f0b2ba15f4db9dbdc6b48b01d8 SHA-256: b947544e839ef8fc7258c3626775a81abdc2d9f7513a2045e94da85f103dcaff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further indicates a phishing or traffic redirection intent. The document body, though heavily obfuscated, mentions 'Soda PDF' and 'Letras coreanas', suggesting a lure to potentially malicious content disguised as educational material. The primary attack pattern involves redirecting users to a vast array of PDF files hosted on numerous domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yardgamesets.com/uploads/1/3/0/7/130738628/mevofagozek.pdf
    • http://hostmaster.ugoscafebar.com/uploads/1/3/0/4/130436389/1263718.pdf
    • http://riverfallsbaseball.com/uploads/1/3/0/6/130621327/vuxopoxezedemum_badajekufe_fagexegojomipuv_bekaros.pdf
    • http://openparks.net/uploads/1/3/0/8/130814645/godotidon_zuzemuruxa_xegalujebekonif.pdf
    • http://snowflakechristmastea.com/uploads/1/3/0/5/130543663/1451.pdf
    • http://vernalinzey.com/uploads/1/3/0/6/130620813/6943730.pdf
    • http://activatemelbourne.com.au/uploads/1/3/0/4/130483487/vutomij_wevuxomuligiweb_xuzazevu.pdf
    • http://sunmedicaldiagnostics.com/uploads/1/3/0/8/130814030/3192784.pdf
    • http://www.camryncs.com/uploads/1/3/0/6/130604688/negodaga-bibivaxi.pdf
    • http://mundofeliz.es/uploads/1/3/0/5/130588258/nejomemino.pdf
    • http://pixelsxblocks.com/uploads/1/3/0/7/130776885/nibakodeba.pdf
    • http://drjakejackson.com/uploads/1/3/0/7/130738735/1445159.pdf
    • http://www.rbquarterhorses.com/uploads/1/3/0/2/130289543/kulozoseku_severox_mukopixataxotag_goxolivara.pdf
    • http://supergise.com/uploads/1/3/0/4/130476650/xomajikodukuwu_dubakozalidurug_panibumo_rixob.pdf
    • http://mojavechamber.org/uploads/1/3/0/7/130739951/femosinuvurawim.pdf
    • http://lillianjue.net/uploads/1/3/0/4/130476135/nepelagotomoxepu.pdf
    • http://2fey9h.salon225.com/uploads/1/3/0/8/130874397/bisuraratugotomu.pdf
    • http://nanny101.net/uploads/1/3/0/5/130539908/lezomasuxinifo.pdf
    • http://johnsonranchpta.com/uploads/1/3/0/3/130323158/a7407a8.pdf
    • http://chiavantage.com/uploads/1/3/0/3/130323957/kunesefumifed-mizipexid-fudoxijo.pdf
    • http://www.der-lab.org/uploads/1/3/0/7/130739472/8383957.pdf
    • http://nobordersadventure.voyagerwebsites.com/uploads/1/3/0/4/130435755/130435755.html#letras+coreanas+abecedario+en+espa%C3%B1ol

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000539e.bin
cdedc0f319ad16eaf6d648c40d60efd1b1ceca4a5c9c451eec96fa095d2b8ba9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x539E 7416 bytes
font_01_sfnt_off00006dba.bin
70033e9e95518e075848f2914404f873ee111e35f15368914c4313b42e25a006		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DBA 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.