Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf459619470e21ef…

MALICIOUS

PDF

82.5 KB Authoring application: Poppler-utils
MD5: 46d88bebb5dd55836f90fcc5d9aef8d4 SHA-1: c96a2ca968b3f3b4e33927846e6bb7f36b1e5f6b SHA-256: bf459619470e21ef3a338ebc237c2ee1a4c0b9e57b8509a11b9599c5f93f8616
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall. The critical heuristic PDF_SEO_LINK_FARM indicates the presence of 31 external PDF links, suggesting a phishing or SEO spam campaign. The embedded URLs are likely used to host malicious content or redirect users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.dresselsservicestation.com/uploads/1/3/0/8/130815008/lasivikuramuga_xisileraf_nujizilijib_weloreron.pdf
    • http://costaricapremiumrealtors.com/uploads/1/3/0/5/130551475/3360100.pdf
    • http://demo2.octarinesec.com/uploads/1/3/0/4/130488252/rudipup_risipefebifebow_genetigori_zonujoneb.pdf
    • http://blissmacau.com/uploads/1/3/0/4/130488831/sizekidigijeluv-vivopupe-jutaxisebo.pdf
    • http://fly360green.org/uploads/1/3/0/6/130620863/xetagavodokawedusu.pdf
    • http://www.annekatrinklein.com/uploads/1/3/0/7/130740376/dovad.pdf
    • http://mta-sts.mail.crashinc.com/uploads/1/3/0/2/130274330/5950404.pdf
    • http://mail.gorntomechanical.com/uploads/1/3/0/6/130620327/wanenibuzowuv_vuzug.pdf
    • http://constructiondollarsandsense.net/uploads/1/3/0/5/130588336/28a2c679e22.pdf
    • http://laffingboymusic.com/uploads/1/3/0/5/130538923/830680.pdf
    • http://www.truebluecleaning.net/uploads/1/3/0/4/130478174/gekaz-rofibuvazaxuvak-dirarojixiw.pdf
    • http://www.klokkeraadgivning.com/uploads/1/3/0/4/130483638/3a048b4cfcf88.pdf
    • http://autodiscover.parkavenueparties.com/uploads/1/3/0/7/130739996/02810ce8.pdf
    • http://a113n.net/uploads/1/3/0/2/130271124/3149320.pdf
    • http://nihaosky.com/uploads/1/3/0/5/130588157/2786983.pdf
    • http://musclemodels.net/uploads/1/3/0/2/130288775/kurojefurokowube.pdf
    • http://carllarosa.com/uploads/1/3/0/7/130739212/kapaxijerepugu-toguzewe-gogukikuvuwu.pdf
    • http://emmareneebradford.com/uploads/1/3/0/7/130775201/wafapemudan_sipuzote_mikenonukes_jaforavulodo.pdf
    • http://adsl-63-204-18-57.benefitplans.org/uploads/1/3/0/6/130605420/130605420.html#college+baseball+scores+top+25

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040e3.bin
1a05d88ffb0f99d647420d6867b51363e86b4f1b4183fc0ea56cd8bce9154a31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40E3 8572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.