Malicious PDF — malware analysis report

Static analysis result for SHA-256 c447120dc83a8804…

MALICIOUS

PDF

43.8 KB Authoring application: Karbon
MD5: 55fa75080a01d5d1e74e92034a904ddc SHA-1: e92893cb4192e286f1afcd9a67feb93827b16058 SHA-256: c447120dc83a8804e168c52d02da6b23b2d6d06f8a8f9686f24ed305c516cedc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO poisoning or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious traffic redirection intent. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tommycookdrums.com/uploads/1/3/0/4/130483591/zuredalo.pdf
    • http://turpinenterprises.com/uploads/1/3/0/3/130313429/vukibasijiraluvonone.pdf
    • http://videoscrip.ru/uploads/2020/01/27/6486756.pdf
    • http://mundofeliz.es/uploads/1/3/0/2/130272275/semomikab.pdf
    • http://petesfishtales.com/uploads/1/3/0/2/130273733/zibojajenapovu.pdf
    • http://gawixavew.best-of-world.ru/uploads/2020/01/28/govudo-jezigavatemirum-rogisudawo-fujibibivagim.pdf
    • http://blowbyblowparty.com/uploads/1/3/0/4/130483309/2fc28.pdf
    • http://fuxu.florissimo29.ru/uploads/2020/01/28/bepexuzazomu.pdf
    • http://instagame.biz/uploads/2020/01/28/madewugatikozugo.pdf
    • https://dukikapuz.weebly.com/uploads/1/3/0/5/130545698/779ef44993280.pdf
    • http://audicionamericas.com/uploads/1/3/0/5/130550790/teseziwegal.pdf
    • http://candidaturaomarmolina.com/uploads/2020/01/28/f0f7b29.pdf
    • http://norgrenairregulators.com/uploads/1/3/0/4/130476215/wufuralotawesok.pdf
    • http://diwused.ksptambov.ru/uploads/2020/01/28/84122fe989c6f93.pdf
    • https://lerivijawera.weebly.com/uploads/1/3/0/5/130540082/2bd4f932.pdf
    • http://fishionista.com/uploads/1/3/0/6/130604351/nevulajitigejagi.pdf
    • http://neuronsaway.weebly.com/uploads/1/3/0/2/130270977/zawax_gazemaso.pdf
    • http://alloexo.studio/uploads/1/3/0/3/130379298/ef15f5c38b9d7e5.pdf
    • http://miracleinabucket.com/uploads/1/3/0/3/130379959/130379959.html#advertisement+poster+format

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001544.bin
ff165cf56de0211993068a46a8a19a2422db07e5e3e48ca9aa89e85b54d021c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1544 8528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.