Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc1e1dd2433ae52f…

MALICIOUS

PDF

39.0 KB Authoring application: PDFBox
MD5: 8e172c328059244c9f8a1859a9cd265f SHA-1: 1154c350aa3a2379efc326eb1e8a51319b633b4a SHA-256: bc1e1dd2433ae52fb7523c67379a7bfc973900f794d3e5a6685db7f96f74724c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The document body is heavily obfuscated and does not provide clear textual lures, but the sheer volume of links suggests a coordinated effort to direct users to potentially malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://putinafuda.weebly.com/uploads/1/3/0/4/130436197/giviwikeb-wuloxorekiw-linir-vavoniv.pdf
    • http://eacecil.com/uploads/1/3/0/6/130605216/guwadodakujop_pivifi_titabodugope_bodibopusakuj.pdf
    • https://tegenuvokokekem.weebly.com/uploads/1/3/0/2/130292013/e9f2810d85e3f.pdf
    • https://koxitonagono.weebly.com/uploads/1/3/0/4/130491488/netabimodej_bufogexaletula.pdf
    • https://wakurejedajaw.weebly.com/uploads/1/3/0/5/130546294/4602784.pdf
    • http://nakomaplumas.com/uploads/1/3/0/6/130621979/temisi.pdf
    • http://mycarenow.us/uploads/1/3/0/6/130604945/lakigoko.pdf
    • http://d2d-prorunners.com/uploads/1/3/0/6/130605118/xabazi.pdf
    • http://897788976207812023.com/uploads/1/3/0/6/130620720/gomana.pdf
    • http://dallasairductcleaning.net/uploads/1/3/0/4/130476586/1f76888e1e37064.pdf
    • http://metaphorboutique.com/uploads/1/3/0/2/130272988/nurivu-zeseziwop.pdf
    • http://allans-automobiles.com/uploads/1/3/0/6/130604874/422c2d2.pdf
    • http://ashtonharvey.com/uploads/1/3/0/5/130538986/zaxewobuk.pdf
    • http://damiwuf.speacetech.us/uploads/2020/01/27/4c85d.pdf
    • http://fadofu.blackprice24.com/uploads/2020/01/28/fijilanikeje-gafidapom-pupipurewipo-munepifivejoxuw.pdf
    • http://kifez.2206bumps01.fun/uploads/2020/01/28/7828883.pdf
    • http://empowermentreminderbracelets.com/uploads/1/3/0/2/130272234/jevareledoxe.pdf
    • http://nicholebertucci.com/uploads/1/3/0/4/130477890/wowixubevon.pdf
    • http://rbrvocal.weebly.com/uploads/1/3/0/4/130435960/duvuwatofaziba.pdf
    • http://pierrecyr.ca/uploads/1/3/0/6/130604117/zuporisuvatuvutavag.pdf
    • http://summitphotographer.com/uploads/1/3/0/5/130588579/2414999.pdf
    • http://avishafilm.weebly.com/uploads/1/3/0/3/130323318/piforofavef.pdf
    • http://nicoledreger.weebly.com/uploads/1/3/0/5/130551253/lotepaji.pdf
    • http://nickhawrylko.com/uploads/1/3/0/2/130289336/130289336.html#hosanna+hillsong+united+piano+tutorial
    • http://empowermentreminderbracelets.com/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000018d3.bin
6001f31a0ee907d1b2ba297d8805f48c47b648829bef5c2f96b5fc05c4944cd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18D3 7820 bytes
font_01_sfnt_off00005c46.bin
a1e76a4a33fd00720c09c3f73c1e3f7c07e19629020bd456517facccced73307		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C46 1872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.