Malicious PDF — malware analysis report

Static analysis result for SHA-256 c651d1b0f25361a9…

MALICIOUS

PDF

40.0 KB Authoring application: Mobipocket Creator
MD5: 71aacd30c3416621e1d0cdb33008b6cb SHA-1: 7690c73fad709cb651c74b42a2a19d3e6b87588c SHA-256: c651d1b0f25361a94e0cab243909acd7882aee831ffe81294418adb742ae32b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of SEO poisoning or a phishing campaign designed to drive traffic to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://astys.ru:80/uploads/2020/01/29/fesekadesajova.pdf
    • http://tgi420.ca/uploads/1/3/0/5/130550703/2797061.pdf
    • http://deluxenews.ru/uploads/2020/01/28/2c93ec4e6.pdf
    • http://riveroflifeworship.com/uploads/1/3/0/6/130620480/rukolu.pdf
    • http://smiledefenders.net/uploads/1/3/0/4/130477193/gulomujivalif-bopujitew.pdf
    • http://allesaker.com/uploads/1/3/0/5/130590026/e5d3d.pdf
    • http://beyondthemasks.net/uploads/1/3/0/2/130289353/kazik_kodotamel.pdf
    • http://transfermarketgroup.com/uploads/1/3/0/2/130273578/zinafefavuvelawozu.pdf
    • http://gerrardphotography.com/uploads/1/3/0/4/130435532/9733191.pdf
    • http://mij.rofrest.ru/uploads/2020/01/29/mibetixu-gapawarive-tesakarukuzuvo-woxusinaj.pdf
    • http://novostrojka-start.ru/uploads/2020/01/27/ab958.pdf
    • http://ourhousea2z.com/uploads/1/3/0/2/130273799/siledi.pdf
    • https://jolomiru.weebly.com/uploads/1/3/0/4/130490668/793e81a96c.pdf
    • http://pilgrimpowerplant.com/uploads/1/3/0/6/130621165/b2029.pdf
    • http://orgmentum.com/uploads/1/3/0/5/130545382/9d4744.pdf
    • http://zosidi.bordadosymaschercross.com/uploads/2020/01/27/bopururetu_zamane_lodemuxajarel.pdf
    • https://retunoroxumolu.weebly.com/uploads/1/3/0/5/130590019/5d2c07.pdf
    • https://vorametugexowe.weebly.com/uploads/1/3/0/5/130590678/xifunowoxekug.pdf
    • http://rikazisup.thewunderland.website/uploads/2020/01/28/xodij.pdf
    • http://jessicabrownmusic.net/uploads/1/3/0/2/130288594/nenugobumu.pdf
    • http://wibier.nl/uploads/1/3/0/6/130620590/riromedeja.pdf
    • http://mikescottthomson.com/uploads/1/3/0/5/130550926/puputugin-gatimexe.pdf
    • http://gtwerks.com/uploads/1/3/0/5/130538859/ribazixozufe_mimobovokumefu_zivexubefixe.pdf
    • http://northstargateway.com/uploads/1/3/0/5/130543156/33735.pdf
    • https://paxutefow.weebly.com/uploads/1/3/0/4/130475955/be9f6ebba.pdf
    • http://5pointauto.com/uploads/1/3/0/2/130289277/130289277.html#severe+rib+pain+pregnancy+second+trimester
    • http://jessicabrownmusic.net/uploads/1/3/0/2/130288594/nenugobumu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001715.bin
d4b2a3f37c70452d54165f31968e99eb9c0561e829bb717d483512703ac377e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1715 7572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.