Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd4bf9f9ff994cb7…

MALICIOUS

PDF

42.4 KB Authoring application: PDFedit
MD5: 3b82137ac465eca0db6ba29c5ba22ae6 SHA-1: 1d25891c0f0b816d045970863304b78267b578d4 SHA-256: bd4bf9f9ff994cb7723ede71791ae59570e629691c589680e1d119cf4093298c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, indicative of a link farm designed to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fencetreeproductions.com/uploads/1/3/0/4/130483978/gozigigasere.pdf
    • http://1technologyplace.com/uploads/1/3/0/6/130621947/ruwuzavidajor.pdf
    • http://cardboardbuild.com/uploads/1/3/0/2/130288468/d1ada84c.pdf
    • http://devonwheatonfitness.com/uploads/1/3/0/7/130775280/gazibifema.pdf
    • http://www.iecep-bataan.com/uploads/1/3/0/6/130639781/875910.pdf
    • http://fonestalve.com/uploads/1/3/0/5/130539679/niwaxurepopidir.pdf
    • http://missrlong.com/uploads/1/3/0/5/130543837/b81b7.pdf
    • http://mystarcleaner.com/uploads/1/3/0/5/130551518/mukuzalo_xezugaver_bipani_makabirivex.pdf
    • http://hostmaster.eyhukuk.com/uploads/1/3/0/8/130874128/pesigiri_vidijunop_mojolofimevepiv.pdf
    • http://thefastshopp.com/uploads/1/3/0/8/130874269/mixekaledexata.pdf
    • http://armentalandscapeco.com/uploads/1/3/0/8/130814250/fedepaxaluwefig.pdf
    • http://www.ganderviewoutfitters.com/uploads/1/3/0/6/130620371/5af13c1391b1.pdf
    • http://cinescapedynamics.net/uploads/1/3/0/5/130590664/9472717.pdf
    • http://nirthpanter.net/uploads/1/3/0/4/130476499/1886122.pdf
    • http://rtpreston.com/uploads/1/3/0/3/130379228/zebudog-voluziro-rexogas-jegamuxawobi.pdf
    • http://sweetsbykay.com/uploads/1/3/0/2/130273791/bugolekojozabuvosuv.pdf
    • http://eumid.com/uploads/1/3/0/7/130775106/gewaretudata_muzobixaroxatij.pdf
    • http://thewicklowway.org/uploads/1/3/0/7/130776499/ea245cacb2137.pdf
    • http://nachomamasbedandsnack.com/uploads/1/3/0/6/130605080/ed920f70862a8a.pdf
    • http://cookingtwothrive.com/uploads/1/3/0/2/130292148/adcd03f70450b7.pdf
    • http://ww2.buyphilproperties.com/uploads/1/3/0/2/130272438/6303379.pdf
    • http://codebeforedawn.net/uploads/1/3/0/4/130436139/4219019.pdf
    • http://brookeamandaportfolio.com/uploads/1/3/0/8/130814993/7a6044.pdf
    • http://atasteofjamaicaandmore.com/uploads/1/3/0/9/130969917/130969917.html#hungry+jack%27s+deals+qld
    • http://missrlong.com/uploads/1/3/0/5/13

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002973.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2973 16036 bytes
font_01_sfnt_off000040cf.bin
43ad91f02f50482a830c581992cb00d7ad5c37aad657e08a2c11ec02bc56e18e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40CF 8688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.