Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2bc5dee5f7eec91…

MALICIOUS

PDF

47.4 KB Authoring application: GIMP
MD5: 9329a4a36daffa4c1339b5829536c3c5 SHA-1: b578bfec69ba02014da6059e28e880f9af49f03f SHA-256: c2bc5dee5f7eec916e49d097fddb9ac782802674158ceed70faa205788624bf8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, a common technique for SEO poisoning or redirecting users to phishing sites. The document body contains many of these URLs, suggesting the primary function is to distribute these links. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solopianostylings.com/uploads/1/3/0/5/130539792/f6880b8a5ee6d1.pdf
    • http://keeley-smith.com/uploads/1/3/0/5/130551241/jilunufumawitogigime.pdf
    • http://holypostdigital.org/uploads/1/3/0/5/130539105/kexosolupirapig.pdf
    • http://bfndorganics.com/uploads/1/3/0/5/130588813/xemex-liwokazorudot-wefav.pdf
    • http://moringanutritional.com/uploads/1/3/0/6/130621179/malofisimijusas-farani-sekuxegi.pdf
    • http://newriverknockouts.org/uploads/1/3/0/5/130590567/1269815.pdf
    • http://dragoonitcn.net/uploads/1/3/0/2/130289311/55799f.pdf
    • http://nextgentheatreco.com/uploads/1/3/0/6/130640039/292309558.pdf
    • http://thesituationshortfilm.com/uploads/1/3/0/5/130589431/7400296.pdf
    • http://masstechlaw.net/uploads/1/3/0/5/130545199/03b297d87.pdf
    • http://modelamics.com/uploads/1/3/0/5/130539155/6a5e24ef5c09434.pdf
    • http://leoinspired.com/uploads/1/3/0/3/130313358/nupinewamidogeb.pdf
    • http://stokesed508webpage.com/uploads/1/3/0/5/130540293/130540293.html#bow+leveling+guide+mhw

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001480.bin
8fd94ff65225247d2967ca738f3c2e3a2fd3c207a7dad5fa79b701cc880cdd7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1480 8444 bytes
font_01_sfnt_off00007ad7.bin
d45e8ddb410f6bd2638b67a41919af94f85c57c8dba1bbfcb202740c74adb338		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AD7 4240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.