Malicious PDF — malware analysis report

Static analysis result for SHA-256 c52be7feb4c84f71…

MALICIOUS

PDF

70.5 KB Authoring application: Smallpdf Desktop
MD5: 5939f6005700f846a402484e5e626b5a SHA-1: 9a73731a3725d060473bb34605c456bb42e969c8 SHA-256: c52be7feb4c84f71cb82085e154272a639cd8cb063f57251927f3d0d74e10da7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded external links, forming a link farm. These links, such as http://garryandjen.com/uploads/1/3/0/3/130313319/tepele-gawojepekuvuza-fibaram.pdf, are likely used to redirect users to malicious sites. The document body contains garbled text and references to 'Smallpdf Desktop' and 'Acorus calamus sanskrit name', which appear to be lures.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://garryandjen.com/uploads/1/3/0/3/130313319/tepele-gawojepekuvuza-fibaram.pdf
    • http://privasack.com/uploads/1/3/0/4/130476378/2232148.pdf
    • http://atrendyblogwithmeg.com/uploads/1/3/0/2/130272102/gupuzuzanobusin-zanonivumomizi-rekito-zamoda.pdf
    • http://remnantsbarbersho.org/uploads/1/3/0/3/130323581/8647610.pdf
    • http://pattiepperson.com/uploads/1/3/0/5/130540211/xabudisuvipit.pdf
    • http://bgooddesignllc.com/uploads/1/3/0/3/130313122/lofani.pdf
    • http://transcendtext.com/uploads/1/3/0/5/130590561/rosuludera_niwonozezi.pdf
    • http://a1412531xstreamtravel.xsideas.com/uploads/1/3/0/5/130538841/130538841.html#acorus+calamus+sanskrit+name

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000a752.bin
a61f560db36c3d694be671b7070b8a404de612a94309560f889a9837f8b1445a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA752 16988 bytes
font_00_sfnt_off00001212.bin
9d360cd45e3a405accfccedbd53d469f8d5ef6597dd5eae6cfaea6bd0c18dd25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1212 9844 bytes
font_01_sfnt_off000096e6.bin
e2941ffbc83c3fb4716863266b3c9430862d0b539ce81f1775975f57b517c977		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96E6 5228 bytes
font_03_sfnt_off0000bfac.bin
65dd67ce4cadefdb64cffa8856c1f53cdc80a8aed7ba9fa6a7f83f1cfad9bd0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFAC 5644 bytes
font_04_sfnt_off0000d036.bin
721d02007d051a16423a4e8373dc8344367549f93ec2b1d9126d68b8fa7a5f4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD036 7252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.