Malicious PDF — malware analysis report

Static analysis result for SHA-256 d250b4e553badbac…

MALICIOUS

PDF

35.7 KB Authoring application: ImageMagick
MD5: 658b695db8fd54d1d8b1e83600032469 SHA-1: 5892abba2f036182788596db4adad445dde01fd3 SHA-256: d250b4e553badbacc891d5662f8a27deba60f41dce3afa808daaa29b11f91a1e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique commonly used for phishing or distributing further malware. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this. The embedded document body text, though heavily obfuscated, contains references to IELTS academic reading practice tests, likely a lure to encourage users to click the malicious links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://psychedynamic.com/uploads/1/3/0/6/130620687/7024299.pdf
    • http://www.puredogbreedregistry.com/uploads/1/3/0/4/130476273/d2293.pdf
    • http://thequiltstudio.com/uploads/1/3/0/5/130588515/4203479.pdf
    • http://cataniainunclick.com/uploads/1/3/0/5/130544132/guzibeviwewasodiva.pdf
    • http://kinetickneadsmassagetherapy.com/uploads/1/3/0/4/130477278/runitiworifubotiluk.pdf
    • http://aninhastore.com/uploads/1/3/0/7/130775762/vemiwakizoxixet.pdf
    • http://myrachelnewman.com/uploads/1/3/0/5/130589427/2083689.pdf
    • http://www.theorodat.de/uploads/1/3/0/5/130550723/09f99e22.pdf
    • http://mirandapueyo.com/uploads/1/3/0/3/130324137/fc23f.pdf
    • http://oslorelocationservices.net/uploads/1/3/0/7/130739816/87304911d35.pdf
    • http://hostmaster.amberjewellery.co.nz/uploads/1/3/0/7/130776445/9890555.pdf
    • http://mermaidexplorers.com/uploads/1/3/0/3/130323675/bubaxapekigafavad.pdf
    • http://mrramsay.co.uk/uploads/1/3/0/7/130738714/nuribo.pdf
    • http://mse265.com/uploads/1/3/0/7/130776158/12031ee9319a0.pdf
    • http://peterinova.com/uploads/1/3/0/5/130588151/wemiradezagul.pdf
    • http://beccakelley.com/uploads/1/3/0/8/130873870/a535a6b61e4a.pdf
    • http://kalamazoochurchofchrist.com/uploads/1/3/0/7/130739052/888078.pdf
    • http://strongholdequineequipment.com/uploads/1/3/0/3/130313491/nimufaw.pdf
    • http://pokeyflex.com/uploads/1/3/0/6/130620979/421924.pdf
    • http://liquidbluesrq.com/uploads/1/3/0/5/130588473/8eb5f88.pdf
    • http://nopressureapparel.net/uploads/1/3/0/6/130604610/6479868.pdf
    • http://djsacademy.com/uploads/1/3/0/4/130483741/130483741.html#reading+practice+tests+for+ielts+academic
    • http://kalamazo

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002cba.bin
5223d3f84d6acf5397f80e48f4cad2e5a0badd21714d9a197172ba26c2b8cfa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CBA 8152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.