Malicious PDF — malware analysis report

Static analysis result for SHA-256 d17871b909c207dd…

MALICIOUS

PDF

38.3 KB Authoring application: Soda PDF
MD5: 8e8047531f79b783d29a1a5f6fb709e5 SHA-1: ea509c1dcface1c1b85f5fbbae98a4b87bb2220e SHA-256: d17871b909c207dda8a3c8217371dc835f8428d002892ade9dc66625bf936c94
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a link farm or redirection mechanism designed to lead users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious traffic generation intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://faswer.space/uploads/1/3/0/7/130738673/redurudikolod_popagafitazipa.pdf
    • http://desvioindefinido.com/uploads/1/3/0/5/130588360/jodexi.pdf
    • http://webdisk.shabuworcester.com/uploads/1/3/0/5/130551941/8e0fded415.pdf
    • http://jackiesaad.com/uploads/1/3/0/8/130874488/mitedapa_latow_tuwuvupabu.pdf
    • http://www.theofficialinternetstore.com/uploads/1/3/0/5/130590531/a40ae0c44f0be6.pdf
    • http://www.3dvitog.com/uploads/1/3/0/6/130621896/mijotasujupade_lidusufajera_saniwatuzirovof.pdf
    • http://www.muvnao.com/uploads/1/3/0/6/130620625/wolipimup.pdf
    • http://kimibath.com/uploads/1/3/0/5/130543156/benefafepajemewu.pdf
    • http://hostmaster.onvousdemenage.ch/uploads/1/3/0/7/130775205/6301d72b258.pdf
    • http://choice-components.com/uploads/1/3/0/6/130604090/vudusiwej.pdf
    • http://fasholdingscorp.com/uploads/1/3/0/8/130874313/taromafe_fozemepi_dajub.pdf
    • http://universodobingo.com/uploads/1/3/0/6/130621706/rosep.pdf
    • http://humblebundleofjoy.com/uploads/1/3/0/6/130620926/9360481.pdf
    • http://summitcrest.ca/uploads/1/3/0/6/130640006/kafawegalud-tarotofonazono.pdf
    • http://frankbeanprinting.com/uploads/1/3/0/7/130775125/tizarexiputakajurit.pdf
    • http://www.personalisedportraitsnortheast.com/uploads/1/3/0/8/130874146/gigane_jibumidewa_rasofoj_polawisexoxaz.pdf
    • http://myeclecticyoga.com/uploads/1/3/0/2/130288554/buterepuvenon.pdf
    • http://aleonor1to1.com/uploads/1/3/0/3/130323178/gakajutetiki_xusukojitorod.pdf
    • http://3505brunell.net/uploads/1/3/0/5/130551832/c79a13f2c75669.pdf
    • http://oddrodcreations.net/uploads/1/3/0/2/130288486/vikotaje.pdf
    • http://missingbell.com/uploads/1/3/0/5/130538833/d2ce7c3b0.pdf
    • http://mindforyou.org/uploads/1/3/0/2/130272102/130272102.html#microsoft+sculpt+ergonomic+mouse+lag
    • http://summitcrest.ca/uploads/1/3/0/6/1306

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000348c.bin
39dc338c234c21c8912121068b7dde1ee4233bdcb3e6899e2ac5745fd9efea6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x348C 8056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.