Malicious PDF — malware analysis report

Static analysis result for SHA-256 d24986f0e8ece880…

MALICIOUS

PDF

51.1 KB Authoring application: pstoedit
MD5: 85f7cd469c90db655171955147ab5594 SHA-1: d77e8556f9bbb846c08695492710e7e6f5ff3485 SHA-256: d24986f0e8ece8800134869c4158bce8653ffe0f291e6486ab28a9c54f64a1c7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits a critical heuristic firing for a PDF SEO link farm, containing numerous external links to other PDF documents. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The embedded URLs likely serve as lures for phishing or to distribute further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://riversideatwollaston.com.au/uploads/1/3/0/6/130605422/gawezus_wubasejubolova_zisemofejexez_senikif.pdf
    • http://ninaschjeide.net/uploads/1/3/0/5/130540040/5599f6.pdf
    • http://northamericapolechampionship.com/uploads/1/3/0/7/130776196/5054562.pdf
    • http://beezybrand.com/uploads/1/3/0/2/130274024/9449e8edf9a.pdf
    • http://ourladywillowbrook.com/uploads/1/3/0/5/130540085/fubavuliririv.pdf
    • http://statewidefacilitiesservices.com/uploads/1/3/0/3/130312952/1354997.pdf
    • http://nmation.org/uploads/1/3/0/5/130544448/130544448.html#abhimaan+full+bengali+movie+free

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001139.bin
223fee5ef6414c44425b13309f8fbb2ce919a6967ae36afb91c167fc1cede6c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1139 8144 bytes
font_01_sfnt_off00004310.bin
f2a70f7b9c424413431733c48e4c7ed52a0a70fe65cb8fcf23a9be58fb0bd24b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4310 14148 bytes
font_02_sfnt_off00006e68.bin
b9c84d35164c33d9e2fc2d3b3738daa184b73d6ba731d71bd613379ee6a43b94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E68 16588 bytes
font_03_sfnt_off000084c5.bin
e0d1736d2ba72d5c8c3e1739a2e36ad8b2b61d63c34e6aebc22f2c2ba941ad15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84C5 6776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.