Malicious PDF — malware analysis report

Static analysis result for SHA-256 c642c0b5b265ead5…

MALICIOUS

PDF

38.0 KB Authoring application: PDF Studio
MD5: 483437b1f7d6bf6e69e019c9551c8645 SHA-1: 705a6f5c3d2e3028c3c51b531a3e20af37394991 SHA-256: c642c0b5b265ead551476444c9f42d26703b80d763a340c5ee0ad64a95e057b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded external links, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The document body contains garbled text and some URLs, but the primary malicious activity is the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bourki.com/uploads/1/3/0/6/130639201/b08f72de.pdf
    • http://www.mytnddesign.com/uploads/1/3/0/6/130603976/3761477.pdf
    • http://inspirekc.net/uploads/1/3/0/4/130477605/butidakotu-rekolevemojuju-fowularuri-gedenuxi.pdf
    • http://norfolkphysicaltherapy.com/uploads/1/3/0/4/130476347/8058868.pdf
    • http://dirtydevillemusic.com/uploads/1/3/0/6/130604933/e87c3.pdf
    • http://loissinko.com/uploads/1/3/0/8/130814229/wogumarajivogiv.pdf
    • http://cheryllanders.com/uploads/1/3/0/3/130313427/dovevulunijubo.pdf
    • http://socalhomesavers.com/uploads/1/3/0/3/130323531/sijegogekuvexewitar.pdf
    • http://fantasmador.com/uploads/1/3/0/8/130814283/6395441.pdf
    • http://teaminspirethefire.net/uploads/1/3/0/6/130639839/f48d4f068d9d795.pdf
    • http://myecwc.com/uploads/1/3/0/6/130639959/pagogixe.pdf
    • http://dellaandbella.com/uploads/1/3/0/4/130476496/tasajowavekek.pdf
    • http://devastating-designs.com/uploads/1/3/0/5/130541944/sosakororud-nosimaju-lumamivizojeziz.pdf
    • http://warsofgod.com/uploads/1/3/0/4/130483507/sapijon-tagose-wefad-kapexipage.pdf
    • http://summerduck.us/uploads/1/3/0/4/130483253/d6bef7d0de66.pdf
    • http://startuparabia.com/uploads/1/3/0/6/130604368/wesubivotel.pdf
    • http://minefotografier.com/uploads/1/3/0/2/130289259/682513.pdf
    • http://tnhgardens.com/uploads/1/3/0/7/130776500/mojul.pdf
    • http://www.prairieequinemassage.com/uploads/1/3/0/3/130313102/kidotununexidaxin.pdf
    • http://cascadesoft.net/uploads/1/3/0/3/130313826/3252142.pdf
    • http://akeiawellness.com/uploads/1/3/0/5/130589450/07b99a3.pdf
    • http://www.gapcdi.com/uploads/1/3/0/5/130590123/refivujol_pedesoranapov_vedavitifapugo.pdf
    • http://host116.carmichaelnl.com/uploads/1/3/0/4/130476747/130476747.html#grados+sexagesimales+a+radianes+ejemplos
    • http://www.gapcdi.com/uploads/1/3/0/5/130590123/refivujol_pedesoranapov_vedavitifap

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000027a1.bin
985cbd9ba5b629f1b749d04d852c0eecb5d8ad374186a1044a60da9476420dc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27A1 2788 bytes
font_01_sfnt_off000033bf.bin
623cc796e41cc38d61c3f66464deb275b62934c5f5546c1ec349e81178483f43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33BF 7868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.