Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9b4dce90f1653b5…

MALICIOUS

PDF

91.8 KB Authoring application: pdf-parser
MD5: 549f3acd2d3e156d2456e6950b7d999c SHA-1: 0b84f148ff8587724b9aa11d23d1605860b97af2 SHA-256: b9b4dce90f1653b5470fb08ad46e16ed78d9dc6060b032f006fc45e240482b40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to host phishing content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted from this sample, and the document body was heavily truncated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cccaabbrefs.com/uploads/1/3/0/2/130288320/fikasikaxetifave.pdf
    • http://dorothyradio.com/uploads/1/3/0/8/130814630/3557bc93d.pdf
    • http://eilermannfamilyvideos.com/uploads/1/3/0/5/130590215/mezot.pdf
    • http://goodkarmabaskets.com/uploads/1/3/0/7/130739947/64a663214.pdf
    • http://jlambdma107.com/uploads/1/3/0/6/130605010/9410013.pdf
    • http://artofmoses.com/uploads/1/3/0/7/130740455/retiletejoxopubumoz.pdf
    • http://lilyfertilitycare.com/uploads/1/3/0/5/130590654/sijuki.pdf
    • http://bastionaudio.co.uk/uploads/1/3/0/8/130814902/sewidamifasodod_kaputurob_bakasizejepobi_jiwobekajobedun.pdf
    • http://www.cathyoshannessy.com/uploads/1/3/0/6/130604787/42df62b.pdf
    • http://bread4thebroken.com/uploads/1/3/0/6/130621218/diliwonebalusujobek.pdf
    • http://rockabeezdeals.com/uploads/1/3/0/6/130605346/sovanagodex_bilix_gomivujizawox.pdf
    • http://nwm7.club/uploads/1/3/0/6/130639300/8653251.pdf
    • http://damselfly.org/uploads/1/3/0/6/130639342/716b2ee2e.pdf
    • http://nutritionevangelism.com/uploads/1/3/0/5/130543494/mixofejik.pdf
    • http://miguelonmusicproductions.com/uploads/1/3/0/8/130813558/bazek.pdf
    • http://querubicamp.com/uploads/1/3/0/7/130738741/gisakobufuwebam.pdf
    • http://wellwellcreative.com/uploads/1/3/0/5/130546657/3217492.pdf
    • http://mythfreefinancial.com/uploads/1/3/0/6/130639977/6459579.pdf
    • http://autodiscover.sz-lendava.si/uploads/1/3/0/2/130270946/loxasinojuzolu.pdf
    • http://urbanshamanism.online/uploads/1/3/0/6/130603975/kabuse.pdf
    • http://mydrivingschoolga.com/uploads/1/3/0/7/130738998/693047fbbdb2d.pdf
    • http://parlortrick.net/uploads/1/3/0/6/130639672/zezasuwugexupedoze.pdf
    • http://sibtender.net/uploads/1/3/0/6/130639231/zokekatabufitew.pdf
    • http://74-123-78-185.mgwnet.com/uploads/1/3/0/5/130539442/130539442.html#wondershare+filmora+soft98

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000ad81.bin
f58157a552d1c8e7b19cbc3170373e8db3516e82edad8135d16b944a871d3824		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAD81 26268 bytes
font_01_sfnt_off0000dd32.bin
a98638e1c0d3e52057a27c365789a097e537a29b3f1783f5085524889072e742		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD32 8612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.