PDF malware analysis — malicious · d19f10264a8e5e6a

MALICIOUS

PDF

54.7 KB Authoring application: PDFedit

MD5: 7096351fc0eb93660376346b04134bca SHA-1: e6a6e6322e2d87505152a9747d59e92d292367f8 SHA-256: d19f10264a8e5e6abfe48adf962670a83a00ff42d3213afa33eb08115964048f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a phishing or malicious redirection intent. The embedded URLs likely lead to further malicious content or phishing pages. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://zezo.krasiva24.com/uploads/2020/01/29/wavimopapuwofu.pdf
- http://geeftx.com/uploads/1/3/0/5/130589103/wipibutik.pdf
- http://studio-elephant.ru/uploads/2020/01/28/zegewuguwije.pdf
- http://magazz1.fun/uploads/2020/01/27/31327.pdf
- http://amcsnab.ru/uploads/2020/01/28/powanoriderolus.pdf
- http://fediba.rmc-metall.ru/uploads/2020/01/28/c154706d68.pdf
- http://coachharrisbiologywebsite.com/uploads/1/3/0/5/130544584/vefapudafuta-bejebuzonik-rezadelafud-bolinali.pdf
- http://keepcalmandreadon.org/uploads/1/3/0/3/130313166/9412543.pdf
- http://chabadwomensprograms.com/uploads/1/3/0/6/130604931/1096630.pdf
- http://ryanmatthewmiller.com/uploads/1/3/0/4/130476346/jotumilatumoko_jewigavuxumik.pdf
- http://toto.u-l.tech/uploads/2020/01/29/9480706.pdf
- http://connecttbs.com/uploads/1/3/0/2/130272365/8608604.pdf
- http://kuhni-msc001.icu/uploads/2020/01/27/livokixap-tosajajisidi-sexatede-nufegupoku.pdf
- https://wanawexutawuwi.weebly.com/uploads/1/3/0/5/130543166/5130464.pdf
- http://milieugeospatial.com/uploads/1/3/0/4/130436163/2337621.pdf
- http://givib.pcod.store/uploads/2020/01/27/paburevi.pdf
- http://1st-plumbing.com/uploads/1/3/0/6/130605212/bakefuwurujalukadufe.pdf
- http://proxtransportation.com/uploads/1/3/0/6/130620475/5778111.pdf
- http://suncitycommercialpropertymanagement.com/uploads/1/3/0/6/130603968/nugirerolime.pdf
- http://sianie72.ru/uploads/2020/01/27/d5cc77f3953.pdf
- https://faxokefovidimu.weebly.com/uploads/1/3/0/4/130476310/vipolakib.pdf
- http://mcaroadsidedeals.com/uploads/1/3/0/4/130435499/4047841.pdf
- http://tifen.gamesplusadventure.ru/uploads/2020/01/27/36c6960ea.pdf
- http://xoz.washcomes.com/uploads/2020/01/28/e4abc8c3.pdf
- http://lelekavavu.sapphiremarket.org/uploads/2020/01/27/9304819.pdf
- http://dxcgabs.com/uploads/1/3/0/6/130604307/130604307.html#la+mendiga+cesar+aira+pdf
- https://wanawexutawuwi

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000188a.bin` `85620ebf68e7e7dba4efeaa6030417ec0df63e609d650678a134a62d211b8082`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x188A	11720 bytes
`font_01_sfnt_off000085ae.bin` `e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x85AE	2652 bytes
`font_02_sfnt_off00008e8a.bin` `3fa324045e53a6601ef1b7c1a9cfa03718326c310b4b0746f30481ec09de0427`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8E8A	16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.