Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb17288704fe7c71…

MALICIOUS

PDF

44.0 KB Authoring application: Scribus
MD5: 60f3ca559fb5f4eba6c7a2d01558a5a8 SHA-1: 5d34d7ee244dadd1a13c68e40c12b9b9f7441d29 SHA-256: bb17288704fe7c71237734937eed6f0d966e296bc31d737560090fadfea2c109
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm or a phishing lure designed to direct users to potentially malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mobileoct.com/uploads/1/3/0/7/130775537/7073535.pdf
    • http://www.mymilliondollarremedy.com/uploads/1/3/0/3/130379635/b867ad131dc.pdf
    • http://voteterribest.com/uploads/1/3/0/5/130551597/wetukamozowalu_jevodebovefo_rezegut_terubal.pdf
    • http://movmentlab.com/uploads/1/3/0/3/130379504/meminujoxesuke.pdf
    • http://brownmediadesigns.com/uploads/1/3/0/7/130739789/6704392.pdf
    • http://emscookies.com/uploads/1/3/0/8/130874289/bapilotosim.pdf
    • http://www.nova-hall.com/uploads/1/3/0/3/130379133/gibomot_beniposupa.pdf
    • http://western-union-viet-nam-nhan-tien-quoc-te.online/uploads/1/3/0/4/130476407/sanefadijav.pdf
    • http://your-cup-of-tea-va.com/uploads/1/3/0/5/130542728/lipom.pdf
    • http://zentdd.com/uploads/1/3/0/2/130289304/580132.pdf
    • http://seizediem.com/uploads/1/3/0/6/130640025/130640025.html#cumulative+distribution+function+for+continuous+random+variables

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003102.bin
bdd79ae1c6ae70525eb90cd4fed30de3f57ed86a028f630060c6cb1e06603841		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3102 2856 bytes
font_01_sfnt_off00003ab7.bin
ae72779f3bb80e602c7685e31b03ef631c45c59bd82bc4725025799b966dd7f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AB7 16372 bytes
font_02_sfnt_off00005397.bin
44719398fffff6915c88fb3a7323255928cabaa428da098658daa960821c9c02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5397 8592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.