Malicious PDF — malware analysis report

Static analysis result for SHA-256 c22fc3d6b516349f…

MALICIOUS

PDF

42.8 KB Authoring application: Inkscape
MD5: 96a5c46975ebecf711794177d5f8d78e SHA-1: be83aac8519c4284c937ff48dea218f86fc2a933 SHA-256: c22fc3d6b516349fdc7f2f68597bab8d1026f98a7db92417e31591250b97b7f8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded URLs, forming a link farm. The primary heuristic firing indicates a 'PDF_SEO_LINK_FARM' with 22 external links, predominantly hosted on 'qayl.club'. This suggests the document's purpose is to redirect users to potentially malicious content, likely phishing pages or malware downloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qayl.club/uploads/2020/01/29/c670c159a.pdf
    • http://qeisolutions.com/uploads/1/3/0/5/130590463/6223231.pdf
    • http://tewiz.passlink.ru/uploads/2020/01/28/bimetasugi_sobapax_maren.pdf
    • https://rutokujati.weebly.com/uploads/1/3/0/4/130483512/garete.pdf
    • http://0406shopps03.fun/uploads/2020/01/28/tokukimevo-fabexi-tatogevexen-lifadobarizaz.pdf
    • http://ded.office-msk.ru/uploads/2020/01/28/pebesubonotez.pdf
    • http://gigizudox.evanstonfcu.com/uploads/2020/01/28/1834524.pdf
    • https://fiwokotiribow.weebly.com/uploads/1/3/0/6/130604522/zunofepaju.pdf
    • http://empowereducon.com/uploads/1/3/0/3/130324241/28a07cd7dc4.pdf
    • http://aimmos.org/uploads/1/3/0/3/130323930/7904003.pdf
    • http://gituwopolu.clash-x.space/uploads/2020/01/27/6223963.pdf
    • http://loj.vipiski-besplatno19.icu/uploads/2020/01/27/zojawisuzeroxatiwi.pdf
    • http://pazal.b-les-bel.su/uploads/2020/01/28/5994343.pdf
    • http://aaceconsulting.org/uploads/1/3/0/4/130483393/6356469.pdf
    • http://missellieganza.com/uploads/2020/01/28/79dffcd25667b.pdf
    • https://vezavanavelu.weebly.com/uploads/1/3/0/5/130551518/784cd363aa6e38.pdf
    • http://dave.one-drive.ru/uploads/2020/01/27/vibozitapebawon.pdf
    • http://greencardxpert.com/uploads/1/3/0/4/130483653/jirumexomujim.pdf
    • http://ctcphiladelphia.com/uploads/1/3/0/5/130588731/ba9b46a772768.pdf
    • http://tienda-adan.com/uploads/2020/01/28/4a6ce.pdf
    • https://zitosetomoti.weebly.com/uploads/1/3/0/3/130323733/basosonolijibot-rataxewupen.pdf
    • http://doju.tutotchet.ru/uploads/2020/01/28/zunoku_tijuzumajanuv_mipos_fetopididedu.pdf
    • http://iloveacorns.com/uploads/1/3/0/6/130620454/130620454.html#new+bollywood+songs+2019++zip+file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016ba.bin
047b91c3b91ba9fb55fc18c42e75bae958529f708eb4a2c6263b2a61a73ec912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16BA 8672 bytes
font_01_sfnt_off00005ec4.bin
2ba4641c91125c080053339fd658297607bf50235cea40bacc5a599f1ec9ea5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EC4 16292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.