Malicious PDF — malware analysis report

Static analysis result for SHA-256 b99e71bb398cfe8c…

MALICIOUS

PDF

36.3 KB Authoring application: pdf-parser
MD5: 935ad4ea790f8881efba4a9b323ae39a SHA-1: 3944bd92b530599f1adb03239472291024a36b3c SHA-256: b99e71bb398cfe8c0a276c42b295d62b389728f43882d0c47972f1e8432d8b28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted, but the primary attack vector appears to be the mass redirection to external URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mysecretlagoon.com/uploads/1/3/0/5/130546759/4128c38b4f94c.pdf
    • http://alettertome.com/uploads/1/3/0/5/130588790/fisozupewiretuzuwix.pdf
    • http://getleanin21.com/uploads/1/3/0/2/130289346/d1f78a15d4.pdf
    • http://candmcreations.com/uploads/1/3/0/7/130775984/6780100.pdf
    • http://www.amyfbrown.com/uploads/1/3/0/5/130589251/bb5e970.pdf
    • http://mountaincreekresortrentals.com/uploads/1/3/0/4/130477040/dobadejan.pdf
    • http://perfect-right.com/uploads/1/3/0/5/130588695/9041247.pdf
    • http://concertsbythecreek.com/uploads/1/3/0/5/130540065/2245732.pdf
    • http://southshorescoop.com/uploads/1/3/0/5/130546880/kexelaxonawe.pdf
    • http://sekedamedia.com/uploads/1/3/0/5/130588461/pusana.pdf
    • http://willowsrvpark.com/uploads/1/3/0/4/130435757/rilozo.pdf
    • http://immcitlaw.com/uploads/1/3/0/7/130775837/c3a9c71c9.pdf
    • http://cjohanssonart.com/uploads/1/3/0/3/130323624/237f98639ba4741.pdf
    • http://bmhouse.net/uploads/1/3/0/7/130740550/c6d2a30693e.pdf
    • http://mtgrahams.com/uploads/1/3/0/6/130639138/4685956.pdf
    • http://www.junglekitchenmn.com/uploads/1/3/0/4/130488811/9118328.pdf
    • http://anarogersfitness.com/uploads/1/3/0/7/130739170/mejezodo.pdf
    • http://davincihelp.com/uploads/1/3/0/7/130775339/romatokazoxip-sagajudobap-gufakirewurosi.pdf
    • http://vantagetactical.net/uploads/1/3/0/6/130620948/7a5a9a5.pdf
    • http://simdiucuz.com/uploads/1/3/0/3/130323520/7292519.pdf
    • http://linkweddingphotography.com/uploads/1/3/0/5/130543134/wawutara-ludono.pdf
    • http://vps4-boss.pleasingfood.com/uploads/1/3/0/5/130590738/130590738.html#how+do+you+combine+pdfs+into+one+pdf
    • https://ninite.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002dbf.bin
0b434aee806aecb1aaca213a83737672db8c0f61661a32734bb3c36595dca864		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DBF 7836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.