Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf58b2cf1ab18ad6…

MALICIOUS

PDF

38.2 KB Authoring application: Inkscape
MD5: 714baf74e27c994cb312fd122fe7876d SHA-1: d997d6ad86392a19a4412fe527f743f708b53016 SHA-256: cf58b2cf1ab18ad68d3b00e6c0a3755c21d1c8b1a81fd672451de89cac822e94
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious distribution intent. The embedded URLs are likely used to redirect users to malicious content or phishing sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vintagechicanew.com/uploads/1/3/0/3/130313368/bokefuxanejixe.pdf
    • http://febak.bookmeup.website/uploads/2020/01/29/pesuwubi.pdf
    • http://womawotow.dog-express.ru/uploads/2020/01/29/keboz_kozaf_vegosot_defofanazebi.pdf
    • http://mrmanoharan.com/uploads/1/3/0/6/130621706/e45d68145.pdf
    • http://marquezlaundrytheatre.com/uploads/1/3/0/2/130289363/2763671.pdf
    • http://casenoibucuresti.com/uploads/1/3/0/5/130540799/5929583.pdf
    • http://drfinkhobart.com/uploads/1/3/0/5/130588546/f0d69c75168f9.pdf
    • http://atelierjpb.com/uploads/1/3/0/5/130546923/3869c522fae1a64.pdf
    • http://11ange1s.com/uploads/1/3/0/3/130313170/2698020.pdf
    • http://sorteincorporation.co.za/uploads/1/3/0/5/130551132/9300846.pdf
    • http://wouldntbeseendead.com/uploads/1/3/0/5/130588620/wugag-givaloxuj.pdf
    • http://xilog.vipiski-besplatno16.icu/uploads/2020/01/28/8afe737.pdf
    • http://vero.heartplayers.com/uploads/2020/01/28/772744c7fa5.pdf
    • http://audiostart14.icu/uploads/2020/01/29/fb76de1.pdf
    • http://affordablewarbird.com/uploads/1/3/0/6/130605339/kowugevirura-rexolikilubux.pdf
    • http://culturalovers.org/uploads/1/3/0/6/130639765/5d11c0c.pdf
    • http://amourwed.tw/uploads/1/3/0/6/130605387/588263.pdf
    • http://novacabinetanddecor.com/uploads/1/3/0/2/130287997/6ee83ded24d3eb.pdf
    • http://duganspecialties.com/uploads/1/3/0/6/130603905/130603905.html#basin+street+blues+sheet+music+saxophone
    • http://novacabinetanddecor

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014fa.bin
85c79b310e29002f9ca59dd2aa02c4e1860ef580a992a6cfbea77483ec29a926		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14FA 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.