Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6c9d3a344f2687c…

MALICIOUS

PDF

49.1 KB Authoring application: PDFedit
MD5: 7d030ce4fc86e097abd95dfb598cd805 SHA-1: bd33f1218b1b779dcdc99ea03a73f7949b69c68b SHA-256: c6c9d3a344f2687cf91b69c5fcb8fbcd9613a34fe798b1ebadbe8425d4a4b1b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The embedded links are likely used to redirect users to phishing sites or other malicious content, as indicated by the numerous unknown reputation URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://begettest09.fun/uploads/2020/01/27/gasefarizimujojesene.pdf
    • http://sellercentral-amazon-avs.com/uploads/2020/01/27/bevutabizulum_zetasazitugin_sitedidoziri.pdf
    • http://pije.gadanija.online/uploads/2020/01/29/genuzorukijex-zuwix.pdf
    • http://ramyasroom.com/uploads/1/3/0/6/130603988/2d2233c5f6bdc.pdf
    • http://dzairbest.com/uploads/2020/01/27/3190823.pdf
    • http://kristawassenaar.com/uploads/1/3/0/4/130489841/b84c0d33bbe907.pdf
    • http://littledarlingscookieco.com/uploads/1/3/0/6/130604799/d5667a26.pdf
    • http://midind.weebly.com/uploads/1/3/0/4/130476778/vajexuxopunutotejofa.pdf
    • https://jorenukapejosi.weebly.com/uploads/1/3/0/4/130476288/3098413.pdf
    • http://vvsplass.com/uploads/1/3/0/5/130588997/5f7aaae3a5.pdf
    • http://ak8819.online/uploads/2020/01/27/8063865.pdf
    • http://deitzlandsurveying.com/uploads/1/3/0/5/130551880/wawukapafifedutijo.pdf
    • http://amberindiacatering.com/uploads/1/3/0/6/130621328/7930159.pdf
    • http://104450345337014885.com/uploads/1/3/0/6/130620649/978355d8efb1.pdf
    • http://dansconcept.com/uploads/1/3/0/6/130639648/lufosijovoguji.pdf
    • http://annkellettghostwriting.com/uploads/1/3/0/5/130552097/fuxununumujapesez.pdf
    • http://bewnanskernow.org/uploads/1/3/0/2/130289724/130289724.html#casos+clinicos+de+acidosis+y+alcalosis+metabolica+y+respiratoria

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000154f.bin
0a2d054cd89d6750927556768fceb895b225ccc0204fbc1a95b2b0b1c520875c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x154F 10216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.