Malicious PDF — malware analysis report

Static analysis result for SHA-256 d24585aa47f6abb1…

MALICIOUS

PDF

54.4 KB Authoring application: GIMP
MD5: 8c0c7338e354544ccd9dea33775f2687 SHA-1: b10227f6eb33b71136f15272aac8c0f3de4e17d0 SHA-256: d24585aa47f6abb1057e6477e1253ed3d242056cc462a526154b04bc1728a502
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious distribution intent. The document body, though heavily corrupted, contains some of these URLs, suggesting the primary goal is to redirect users to these external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://reinasporunacausa.com/uploads/1/3/0/6/130620198/5277978.pdf
    • http://www.penninestoves.co.uk/uploads/1/3/0/3/130313356/823859.pdf
    • http://mishareads.com/uploads/1/3/0/6/130604447/revix_wuvubuwuleviwo.pdf
    • http://engenhoca.mobi/uploads/1/3/0/6/130639571/130cef64d.pdf
    • http://mymindfulconnections.com/uploads/1/3/0/6/130639209/b3c76ce4a23dc.pdf
    • http://sbfbla.org/uploads/1/3/0/7/130739443/192765bcd7468f9.pdf
    • http://sportyogalady.com/uploads/1/3/0/3/130379362/146f516be0a.pdf
    • http://khubilaimtm.com/uploads/1/3/0/6/130620762/losejugat.pdf
    • http://minimumtread.com/uploads/1/3/0/6/130621634/6550053.pdf
    • http://machinegunrentals.net/uploads/1/3/0/7/130775413/sumekaxebifi-zeveziseribazin.pdf
    • http://www.irishgoddess.com/uploads/1/3/0/7/130739001/tizokewabifopoxu.pdf
    • http://spazio-coworking.com/uploads/1/3/0/3/130323318/fb5cf04d8.pdf
    • http://kateyanne.com/uploads/1/3/0/6/130620681/jogemiv.pdf
    • http://pleaseexcusetheshirt.com/uploads/1/3/0/6/130639861/vejatuwepeneru-nuxukokiva-guwula.pdf
    • http://naeaglemulch.com/uploads/1/3/0/3/130312953/819a6.pdf
    • http://joyceknock.com/uploads/1/3/0/2/130272452/2977863.pdf
    • http://ldhbuyshomes.com/uploads/1/3/0/5/130550833/f8706eba8cb.pdf
    • http://nationalcatholicchoir.org/uploads/1/3/0/5/130590613/248371.pdf
    • http://3rivers.com.au/uploads/1/3/0/6/130604022/1290475.pdf
    • http://stefaniefletcher.com/uploads/1/3/0/6/130620334/7548594.pdf
    • http://hypernox.net/uploads/1/3/0/3/130313783/fcddc.pdf
    • http://dealingwithstuff.com/uploads/1/3/0/7/130740206/tawirula-pojib-gaguk.pdf
    • http://hohohohustle.com/uploads/1/3/0/5/130588923/ce106c8.pdf
    • http://rhworkplace.com/uploads/1/3/0/6/130620505/7389136.pdf
    • http://unique-dancewear.com/uploads/1/3/0/6/130620622/lexeko-ditapoluju-gurabejowu-batezabale.pdf
    • http://armorgrind.org/uploads/1/3/0/9/130969707/130969707.html#simple+tree+house+building+plans

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000134c.bin
276048285e820ef7639fcdb691872932ca0fa42ad104a6bb01f7de3e1702a0db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134C 7540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.