Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcecbd974091c841…

MALICIOUS

PDF

35.0 KB Authoring application: Soda PDF
MD5: f6e10c2524d8ef5aceabe9bcbeec1b82 SHA-1: 3443bab7dbf4d6c9506d899ee31425aa525c7c8c SHA-256: bcecbd974091c84195a0feb1c43c9d30c8aab6e28e2e6b4bc191ac6f3dd82411
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link

The PDF file contains a large number of embedded links, many of which are disguised as download buttons. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document prompts the user to install a browser extension or plugin. This, combined with the ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0', strongly suggests a phishing or malware distribution attempt. No scripts were extracted, limiting further analysis of the payload delivery mechanism.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pazisomesujuxiz.weebly.com/uploads/1/3/0/2/130271017/6993462.pdf
    • http://truedefdentallaboratory.com/uploads/1/3/0/6/130604635/jokikuwuwavuf.pdf
    • http://snsmedia.org/uploads/1/3/0/2/130274091/9515664.pdf
    • http://sewoz.zotye-t600.ru/uploads/2020/01/28/joxewivixewu-kisitimotex-losazazejowinal-nosadapeg.pdf
    • http://shopcenter18.fun/uploads/2020/01/28/guxekapurijafujifa.pdf
    • http://kingfisher-strategy.com/uploads/1/3/0/2/130289719/6154ed700b.pdf
    • http://narrenofnewulm.net/uploads/1/3/0/6/130604886/gokirot_lulegij_tefisolafeledab.pdf
    • http://puzzlescleaning.com/uploads/1/3/0/2/130289485/7647285.pdf
    • http://noradragoon.com/uploads/1/3/0/6/130639877/nuxudokobenu.pdf
    • http://bozedobi.brgymahabangparang.com/uploads/2020/01/28/3368372.pdf
    • http://therockstarwithinyou.com/uploads/1/3/0/2/130289467/silitesilebufefubaji.pdf
    • http://mirrormath.net/uploads/1/3/0/7/130775837/130775837.html#facebook+video+application+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000130b.bin
157175590b9be3ab23b1bf321346b5010977083514bfee7a7e77a038b45bfe12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130B 8224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.