Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb5d24843602f472…

MALICIOUS

PDF

34.7 KB Authoring application: Mobipocket Creator
MD5: 6a201ef0c23439377aec5535ff0fe3e1 SHA-1: a1cc462ef291c3a48f911f10ce7555b72e16779c SHA-256: bb5d24843602f4720a27ff00a9f7dc8cd8b82f3972bc249da12441baab357b75
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, indicative of a link farm or redirection scheme. The primary heuristic firing, PDF_SEO_LINK_FARM, confirms the presence of 24 external PDF links, with the first being http://www.primarypropertyinspections.com/uploads/1/3/0/7/130739253/zotigijirapa-guduxebugusel-fudidiz-kivorijupibed.pdf. This suggests the document's purpose is to distribute or link to malicious content through a network of seemingly unrelated domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.primarypropertyinspections.com/uploads/1/3/0/7/130739253/zotigijirapa-guduxebugusel-fudidiz-kivorijupibed.pdf
    • http://unitedplanetearth.org/uploads/1/3/0/4/130476733/kesamu.pdf
    • http://cedarlanesucculents.com/uploads/1/3/0/4/130476970/rigibubik-bidikimipol.pdf
    • http://mta-sts.bollr.com.my/uploads/1/3/0/5/130590096/96e568748081311.pdf
    • http://giftboxme.com/uploads/1/3/0/6/130604882/3523c0e.pdf
    • http://amicoffeecompany.com/uploads/1/3/0/6/130604848/a3ef05aa2fde.pdf
    • http://yoyotk.com/uploads/1/3/0/5/130540219/mijilokaxuziloxexuru.pdf
    • http://weshpop.com/uploads/1/3/0/3/130323120/lelovinawato.pdf
    • http://mgpsfm.com/uploads/1/3/0/6/130604554/wemelakeju.pdf
    • http://deadbeatbuddy.com/uploads/1/3/0/7/130776324/8739563.pdf
    • http://recipework.com/uploads/1/3/0/3/130313113/8ffb5366186d28.pdf
    • http://splitnest.com/uploads/1/3/0/5/130540567/eadd0a2aa4a.pdf
    • http://suppy-taiwan.com/uploads/1/3/0/6/130621044/130621044.html#brachial+artery+aneurysm+surgery

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d39.bin
3981e690e425d3c4e84f7efdedea076b34ac4cc3be9644fc26db7c568b80e7ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D39 8768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.