Malicious PDF — malware analysis report

Static analysis result for SHA-256 c262c458401e2ca9…

MALICIOUS

PDF

40.8 KB Created: 2018-11-30 20:36:04 +03:00 Authoring application: Microsoft® Word 2016
MD5: 818eef626f0f7d6d9684c46e12296bbd SHA-1: 75b7c866902242c9c573c9b278d5c5466b7ccdb8 SHA-256: c262c458401e2ca9371512c2038437fda937dacf0c33a15921840aaf0e9f3b3b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as a dropper by ClamAV. Static analysis revealed a large number of embedded external links, primarily pointing to book-related URLs on the domain www.gorillawalker.com. This suggests a link farm or SEO poisoning attack, where the PDF is used to distribute malicious links rather than directly executing a payload. The document body was heavily obfuscated and did not provide further clues.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7299732-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7299732-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/the-autobiography-of-lincoln-steffens-complete-in-one-volume.pdf
    • http://www.gorillawalker.com/the-arts-young-children-and-learning.pdf
    • http://www.gorillawalker.com/chance-in-hell-a-noah-chance-mystery-book-1-kindle.pdf
    • http://www.gorillawalker.com/cornea-color-atlas-and-synopsis-of-clinical-ophthalmology-wills-eye.pdf
    • http://www.gorillawalker.com/el-espiritu-de-la-liturgia-the-liturgy-spirit-spanish-edition.pdf
    • http://www.gorillawalker.com/hell-to-the-damned-living-cold-1-siren-publishing-classic.pdf
    • http://www.gorillawalker.com/manual-of-the-book-of-common-prayer.pdf
    • http://www.gorillawalker.com/lost-and-found-groom-a-western-romance-a-place-called.pdf
    • http://www.gorillawalker.com/three-years-and-eight-months.pdf
    • http://www.gorillawalker.com/the-complete-illustrated-breeder-s-guide-to-marine-aquarium-fishes.pdf
    • http://www.gorillawalker.com/colon-hydrotherapy-the-professional-practitioner-training-manual-and-reference-book.pdf
    • http://www.gorillawalker.com/parental-guidance-kindle-edition.pdf
    • http://www.gorillawalker.com/at-the-very-least-she-pays-the-rent-women-and.pdf
    • http://www.gorillawalker.com/quintilian-and-the-law-the-art-of-persuasion-in-law.pdf
    • http://www.gorillawalker.com/hetty.pdf
    • http://www.gorillawalker.com/gnosis-onward-weaving-science-spirituality-and-hidden-history-into-the.pdf
    • http://www.gorillawalker.com/mallorca-road-maps-english-spanish-french-italian-and-german-edition.pdf
    • http://www.gorillawalker.com/denim-dudes-street-style-vintage-workwear-obsession.pdf
    • http://www.gorillawalker.com/flaxseed-recipes-lose-weight-gain-energy-achieve-overall-wellness.pdf
    • http://www.gorillawalker.com/by-globetrotter-lebanon-travel-map-globetrotter-travel-map-second-edition.pdf
    • http://www.gorillawalker.com/folkelivsromaner-og-folkelivsbilleder-jutulskaret-glomdalsbruden-primary-source-edition-norwegian-edition.pdf
    • http://www.gorillawalker.com/the-history-of-the-destruction-of-jerusalem.pdf
    • http://www.gorillawalker.com/minding-my-peas-and-cucumbers-quirky-tales-of-allotment-life.pdf
    • http://www.gorillawalker.com/the-linux-kernel-book.pdf
    • http://www.gorillawalker.com/the-ship-that-stood-still-californian-and-her-mysterious-role.pdf
    • http://www.gorillawalker.com/ancient-floods-modern-hazards-principles-and-applications-of-paleoflood-hydrology.pdf
    • http://www.gorillawalker.com/understanding-humor-through-communication-why-be-funny-anyway.pdf
    • http://www.gorillawalker.com/jedi-twilight-star-wars-coruscant-nights-i.pdf
    • http://www.gorillawalker.com/mathematical-stereochemistry.pdf
    • http://www.gorillawalker.com/chasing-the-white-dog-an-amateur-outlaw-s-adventures-in.pdf
    • http://www.gorillawalker.com/infectious-disease-pearls-1e.pdf
    • http://www.gorillawalker.com/organization-theory-a-public-perspective.pdf
    • http://www.gorillawalker.com/entity-framework-interview-questions-you-ll-most-likely-be-asked.pdf
    • http://www.gorillawalker.com/your-personality-tree.pdf
    • http://www.gorillawalker.com/2009-living-nature-poster-calendar.pdf
    • http://www.gorillawalker.com/life-magazine-september-5-1969.pdf
    • http://www.gorillawalker.com/flexible-sigmoidoscopy.pdf
    • http://www.gorillawalker.com/porsche-road-car-race-car.pdf
    • http://www.gorillawalker.com/bondage-erotica-collared-lack-of-control-is-more-than-a.pdf
    • http://www.gorillawalker.com/land-and-resources-of-ancient-greece-primary-sources-of-ancient.pdf
    • http://www.gorillawa
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.