Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd602d357996b138…

MALICIOUS

PDF

52.4 KB Authoring application: ImageMagick
MD5: 49be43e6d11c4fa26a1758915bc7416d SHA-1: a2a1ca69a6e347dcc36b078bcbbe6e58fbd2a9f8 SHA-256: cd602d357996b138f3e53871e09634ddef583f7142d1b191e588c186596191ca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection also flags this as phishing-related. The embedded URLs are likely used to distribute malware or conduct phishing attacks by redirecting users to malicious sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://barrelvisions.com/uploads/1/3/0/2/130288562/wekanobinedofoma.pdf
    • http://californiahydrogenwater.com/uploads/1/3/0/2/130289474/2368151.pdf
    • http://ck-sale.ru/uploads/2020/01/28/d4c9b9c4110.pdf
    • http://newyorktravelmedicine.com/uploads/1/3/0/4/130483117/tepatoxajujugod.pdf
    • http://kingfisher-strategy.com/uploads/1/3/0/2/130291030/e19cac3fc05.pdf
    • http://jakeberman.net/uploads/1/3/0/6/130604631/6006545.pdf
    • http://makasedene.vid-downloader.tech/uploads/2020/01/27/d3fa9093.pdf
    • http://openmindsholistichealingcenter.com/uploads/1/3/0/6/130639510/99a4a75367.pdf
    • http://tymboslycebeats.com/uploads/1/3/0/6/130621119/bosukawu.pdf
    • http://loveunitylife.com/uploads/1/3/0/3/130323455/jelekawoxefamijafe.pdf
    • http://gujajulas.rurostelekom.ru/uploads/2020/01/27/9264581.pdf
    • http://restaurantatburdicks.com/uploads/1/3/0/4/130483821/ripuwo.pdf
    • http://massiv-stairs.ru/uploads/2020/01/28/372921.pdf
    • http://ginandtarnish.com/uploads/1/3/0/5/130590334/xaberupazebofu.pdf
    • http://now.barcelonaswing.cat/uploads/2020/01/28/zosinos.pdf
    • http://emilydelbridge.com/uploads/1/3/0/5/130590122/sazavexikuzug_lubuwogekamuxaz.pdf
    • http://blacklocustpastures.com/uploads/1/3/0/2/130289731/8516492.pdf
    • https://noguzapamuvap.weebly.com/uploads/1/3/0/5/130551270/polezefuxotesolopu.pdf
    • http://poubellepublishing.com/uploads/1/3/0/5/130544063/380ebacbc85ec.pdf
    • http://ndchair.com/uploads/1/3/0/6/130621847/130621847.html#home+remedy+for+gum+boil
    • https://noguzapamuvap.weebly.com/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001187.bin
a995b4a3c702b794340babd800b23634827bdd1375b14cda7b18be416fd644f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1187 9340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.