Malicious PDF — malware analysis report

Static analysis result for SHA-256 d27486811dbb7f31…

MALICIOUS

PDF

48.4 KB Authoring application: Scribus
MD5: 66dba59f9f9c6f6c850582580375bbe0 SHA-1: 61c5551a684d95a216d08fa454048f775e2ac225 SHA-256: d27486811dbb7f319c2a43e956c3efdbf704b28e1ee730f410f0689ae64aaf7e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to other PDF documents, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. No scripts were extracted, and the document body content is largely unreadable, making it difficult to determine the exact nature of the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mommieceoapparel.com/uploads/1/3/0/3/130312974/7075404.pdf
    • http://bucharestinthebeltway.com/uploads/1/3/0/4/130436017/464d5fba6935ce9.pdf
    • http://vagevi.lariveracr.com/uploads/2020/01/29/mefosodexina-janugadojarejul-gugefam-xuwikulifozub.pdf
    • http://naturalbalancetherapies.org/uploads/1/3/0/3/130313179/nekuwilizukujilu.pdf
    • http://northcaroline.weebly.com/uploads/1/3/0/2/130289291/lebof.pdf
    • http://wildcardreiningchallenge.com/uploads/1/3/0/5/130551309/bunejisukaxor_fonemosojom.pdf
    • http://groutlaw.com/uploads/1/3/0/4/130476204/donosox.pdf
    • http://lezomav.glavmoskuhni.ru/uploads/2020/01/28/22c39150.pdf
    • http://cityglush26.icu/uploads/2020/01/29/25047cfa47b815.pdf
    • http://mentalsector.com/uploads/1/3/0/2/130272902/27cae240b85.pdf
    • https://tosotozowi.weebly.com/uploads/1/3/0/4/130478772/viwikapebelekem.pdf
    • http://16365redington.com/uploads/1/3/0/4/130476555/xesusaju_jajug_mevinaz.pdf
    • http://radivak.loriot-climate.ru/uploads/2020/01/28/72131ce9.pdf
    • http://kasselov.no/uploads/1/3/0/5/130540926/8091448.pdf
    • http://mydrivingschoolga.com/uploads/1/3/0/6/130639438/c48d97e2a5a9.pdf
    • http://nswminiaturepony.com.au/uploads/1/3/0/5/130543996/8897311.pdf
    • http://mrsindler.com/uploads/1/3/0/4/130476586/6343952.pdf
    • http://lapamemew.visittatarstan.ru/uploads/2020/01/28/e332c1e0c.pdf
    • http://nursingarmpillow.com/uploads/1/3/0/5/130588559/130588559.html#air+pollution+wikipedia+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001554.bin
4dcd17dd671fb4853eea60d71d7b55252d535f7ec38b64ef515a25216e297656		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1554 8256 bytes
font_01_sfnt_off00006d80.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D80 16036 bytes
font_02_sfnt_off00008197.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8197 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.