Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf046529158834bc…

MALICIOUS

PDF

39.4 KB Authoring application: PDFedit
MD5: 767bba07d20ee5d984c90174aa57278f SHA-1: db66932fa70cb98990d17db31042d34ded4e1b7b SHA-256: cf046529158834bc4fa121746ab35787abe32033877bebb5bceb9db4ecea6226
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1204.001 Malicious Link T1059.001 PowerShell

The document presents itself as a software crack download, but contains a large number of embedded links to external PDF files, indicating a link farm for SEO or phishing purposes. Additionally, it instructs the user to install remote support tools, a common lure for social engineering attacks. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious intent.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mochaloops.com/uploads/1/3/0/3/130313015/xajul.pdf
    • http://xili.speacetech.us/uploads/2020/01/28/2c92d2611cfc5d.pdf
    • http://mopurefi.tayadsy.tech/uploads/2020/01/29/8114234.pdf
    • http://cours-de-batterie-fouesnant.com/uploads/1/3/0/5/130550782/jesubo.pdf
    • http://diabetest1ireland.com/uploads/1/3/0/2/130287920/9748643.pdf
    • http://mccallinnovations.com/uploads/1/3/0/6/130639277/1754422.pdf
    • http://acrpafrica.com/uploads/1/3/0/6/130605443/momani.pdf
    • http://showuplifestyle.com/uploads/1/3/0/4/130476112/wogeligerotufe.pdf
    • http://bitpixerssupport.com/uploads/1/3/0/4/130476313/zorixelo.pdf
    • http://sjbcs1.weebly.com/uploads/1/3/0/3/130379509/gapisavu_samokixa.pdf
    • http://naiadenorthamerica.com/uploads/1/3/0/5/130551904/8636584.pdf
    • https://vekezuxivegivo.weebly.com/uploads/1/3/0/3/130323761/rawiwumu.pdf
    • http://bulu.soho-sumki.icu/uploads/2020/01/28/kojoxepirito-tesowapi.pdf
    • http://momonaireland.com/uploads/1/3/0/6/130620614/xonekajerexuzupudisa.pdf
    • http://daxo.24024.ru/uploads/2020/01/27/wixarekev_ziwefezib_wunafe.pdf
    • http://mynehab.org/uploads/1/3/0/2/130270905/dopuvitejigi-nezime-degobavevo.pdf
    • https://ninigupuxoro.weebly.com/uploads/1/3/0/2/130272388/9438801.pdf
    • http://wickedladiesbees.com/uploads/1/3/0/6/130604213/4935014.pdf
    • http://finekykt.ru/uploads/2020/01/27/6ba1f03181da0e0.pdf
    • http://akihiroyasui.com/uploads/1/3/0/4/130476141/130476141.html#solidworks+2019+sp4+crack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00001591.bin
c9bccac6b682f039f81b767a30c5bbf1991b024714cafc1eafad7faa88493234		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1591 9756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.