Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf419a2d3477b8f1…

MALICIOUS

PDF

38.5 KB Authoring application: GIMP
MD5: 2f8b3d367bdda21555d81d5cbaa91fbf SHA-1: 806ce17c353717e173610d8a53235cf8d914e98a SHA-256: bf419a2d3477b8f147e374bec5c0374cec0353c8efb3691a329eb7cd0988e49a
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to suspicious PDF files, indicating a link farm for SEO manipulation or phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious traffic redirection intent. The presence of a visual download button lure in the document body reinforces the deceptive nature of the file.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://juze.solidstore.online/uploads/2020/01/27/jizefes_lavezana_pupureda.pdf
    • https://korumesad.weebly.com/uploads/1/3/0/3/130313670/zosuxija.pdf
    • http://iecsae.com/uploads/1/3/0/6/130604887/vasebafexekabub.pdf
    • http://rifun.technolojix.com/uploads/2020/01/27/dotowizusazal.pdf
    • https://wagefelom.weebly.com/uploads/1/3/0/2/130287971/duwareburigokup.pdf
    • https://tozugozanofus.weebly.com/uploads/1/3/0/4/130489253/1024399.pdf
    • http://rutunuvab.davidnajaryan.com/uploads/2020/01/28/joxobom.pdf
    • http://0978387520.com/uploads/1/3/0/4/130476496/notuvitutido_bojanakagimawep_rinojogozufu_tewuvojarumutuz.pdf
    • http://vtail99.net/uploads/1/3/0/6/130620818/dubifigax_kasikeka_pujusi.pdf
    • http://woletorapo.zaruba.pro/uploads/2020/01/27/cad4dc49fd5aa9.pdf
    • http://bofegonuz.finding-love.online/uploads/2020/01/28/fisuvadikate_xoliwotos_wupuzisuzunaxi_damivonej.pdf
    • https://kamowexu.weebly.com/uploads/1/3/0/2/130289530/peseg.pdf
    • http://neku.ixilist.com/uploads/2020/01/28/909c80bcc07.pdf
    • http://xujib.lider-fruits.ru/uploads/2020/01/28/nipitiribitenowalezi.pdf
    • http://lom.soyana.ru/uploads/2020/01/27/744c695a92d.pdf
    • https://kaxemarumoner.weebly.com/uploads/1/3/0/6/130604548/1301096.pdf
    • http://livingswellrva.com/uploads/1/3/0/4/130483355/savij.pdf
    • http://mmhac.com/uploads/1/3/0/2/130288775/130288775.html#vsco+full+pack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001513.bin
f90cb88f084fac63bce6262aff441d6ddf95236e4ed0f1c7f8cdf2f3628a1c8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1513 8464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.