Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba8f0acbe687c891…

MALICIOUS

PDF

44.4 KB Authoring application: Poppler-utils
MD5: 6e32d7abe51d3623fbd2bcf70ac5b636 SHA-1: 829216c8afd61e92a1cee4ef0595f73e2f394a81 SHA-256: ba8f0acbe687c891c04d089325278052d62c7662dc7d188974824f80da4d115f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this file as Pdf.Phishing.TtraffRobotInstall-7605656-0. The primary function appears to be redirecting users to numerous external websites, likely for malicious purposes such as phishing or SEO spam. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://girlytwirl.com/uploads/1/3/0/5/130589220/zagixaxalolaluboweta.pdf
    • http://sarahstrasser.net/uploads/1/3/0/5/130588827/xalitotesibusu.pdf
    • http://fcfcp.com/uploads/1/3/0/6/130621850/dejir_kodusepatezov.pdf
    • http://www.newaygocountygop.org/uploads/1/3/0/8/130874495/wazelotumapidor.pdf
    • http://azautogalleryllc.com/uploads/1/3/0/5/130588407/dozarug-gojuti.pdf
    • http://bgfireprotection.com/uploads/1/3/0/6/130604196/bexum.pdf
    • http://classicmassagestudio.com/uploads/1/3/0/6/130604739/5833098.pdf
    • http://pressburg-partners.com/uploads/1/3/0/6/130639152/e54383f29bccd10.pdf
    • http://walkoffstudios.com/uploads/1/3/0/6/130604544/koxapesuziwadolu.pdf
    • http://sojusurvivor.com/uploads/1/3/0/7/130738513/wifoduraj-koduvigod.pdf
    • http://mikekelley.us/uploads/1/3/0/4/130488067/8608904.pdf
    • http://clipture.net/uploads/1/3/0/2/130272458/8366130.pdf
    • http://thesplinteredmind.com/uploads/1/3/0/6/130640027/matap.pdf
    • http://mse265.com/uploads/1/3/0/6/130604557/4697589.pdf
    • http://nantigo.com/uploads/1/3/0/2/130273980/lerune.pdf
    • http://lynalen.com/uploads/1/3/0/4/130476401/7bdabaf74960.pdf
    • http://redeemernewton.com/uploads/1/3/0/2/130271043/0899f187a4e4.pdf
    • http://mhsclassof1976.com/uploads/1/3/0/7/130775862/2f1634dea6a4.pdf
    • http://networkmarketingsuccessformula.com/uploads/1/3/0/6/130620172/sirikiworajixuv.pdf
    • http://springflowerbookkeeping.com/uploads/1/3/0/6/130622068/rafat.pdf
    • http://greenaviation.net/uploads/1/3/0/7/130775928/rawuxoxinobubenofe.pdf
    • http://taylorsinclair.com/uploads/1/3/0/7/130738903/gegusedixapotebuweg.pdf
    • http://motivationalresearch.org/uploads/1/3/0/5/130545382/pixejelox.pdf
    • http://ricewrks.com/uploads/1/3/0/4/130489253/zuligin.pdf
    • http://elolv.slpny.com/uploads/1/3/0/5/130542907/130542907.html#atrial+fibrillation+esc+guidelines+ppt

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003cb3.bin
fec9c4369a73f12d0e9922ad7d67de95aa6f38890537ebf4614ca3f3b7c679ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CB3 2080 bytes
font_01_sfnt_off000048ec.bin
ab234dc8407d61816cb27151348f9cd5fd212da7580a1a40a55bb4f8602c9c8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48EC 8504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.