Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcf2aabb2119fb6e…

MALICIOUS

PDF

38.3 KB Authoring application: Nitro PDF
MD5: 583975daa2d1d023f692b14a89a5a00e SHA-1: 6d78a90229e4819e289a5063530bd325d6662014 SHA-256: bcf2aabb2119fb6eca22a209c285468194c4c0be0a20d7d3ec06a3c57c2d99ec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious classification. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lsep8.bpmtc.com/uploads/1/3/0/3/130313208/3228407.pdf
    • http://insideosuokc.net/uploads/1/3/0/5/130588188/8420053.pdf
    • http://daydreamdynamics.com/uploads/1/3/0/7/130739916/nimutikitolutis-busatuvebonali-gupajumutenojos.pdf
    • http://alporusi.fi/uploads/1/3/0/3/130323601/3425893.pdf
    • http://www.butchangel.com/uploads/1/3/0/2/130289315/9556791.pdf
    • http://reisteel.net/uploads/1/3/0/4/130490181/aa054ae1e.pdf
    • http://novelendings.com/uploads/1/3/0/6/130604201/vinifuwaluj_nirixixa_xafigusov.pdf
    • http://sacredselfempowerment.com/uploads/1/3/0/3/130313746/bixabibume.pdf
    • http://toddtea.com/uploads/1/3/0/4/130489275/7623452.pdf
    • http://allaroundcontracting.net/uploads/1/3/0/6/130639904/lulosopaz.pdf
    • http://northolmesjuniorschool.com/uploads/1/3/0/5/130545557/gogogo_donurat_zojifit.pdf
    • http://planteriget.com/uploads/1/3/0/7/130738988/fowepenix-vanumu-xoripitep.pdf
    • http://newvisionedsolutions.com/uploads/1/3/0/3/130379115/nokeninogus-bisisojaz-konoduwirepodo-poginesosapisaj.pdf
    • http://bloomandbeyond.com/uploads/1/3/0/4/130490776/gisujotofi.pdf
    • http://theodoreskye.com/uploads/1/3/0/6/130605426/3678390.pdf
    • http://scrumptious.info/uploads/1/3/0/3/130323281/povikowivakekodig.pdf
    • http://nanomat2019.com/uploads/1/3/0/5/130588415/naxamumer-piwulisu.pdf
    • http://coffeyvillelivestockmarket.com/uploads/1/3/0/2/130287890/6379231.pdf
    • http://trustcld.com/uploads/1/3/0/3/130379391/xupunitobitigug-bidusisulile-gokexitidinima.pdf
    • http://gaptoothmodels.com/uploads/1/3/0/7/130775427/toxesizojunijewu.pdf
    • http://rootcausewellness.com/uploads/1/3/0/3/130323789/6881d408846458d.pdf
    • http://drivewithcoin.com/uploads/1/3/0/7/130740556/a6fecce10f01.pdf
    • http://9l6v0m.bdgct.com/uploads/1/3/0/4/130476427/130476427.html#online+convert+pdf+file+to+xls
    • http://reisteel.net/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003311.bin
9e0086017ae466068a247b663ce183dc089c932cce404c5b116579b69632c479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3311 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.