Malicious PDF — malware analysis report

Static analysis result for SHA-256 d51b6213b3622990…

MALICIOUS

PDF

88.3 KB Authoring application: Pdftk
MD5: 48b89260591b4f5bd74ef57acfad561d SHA-1: 09437aa37035c4b0efe2ccc98a222fb27fba91a0 SHA-256: d51b6213b36229908f0d25cfb84175459a2186cd0d6cf6f855552182c3ff8449
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute phishing content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious traffic redirection intent. No scripts were extracted from this sample, and the document body was heavily obfuscated and truncated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vez.portal-doempreendedordigital.com/uploads/2020/01/27/xugagon_boxode_diritoworo_zixuteb.pdf
    • http://xoglamaccess.com/uploads/1/3/0/4/130477566/mawufexudofade_bapanobu_guguvopara.pdf
    • http://myrocketflow.com/uploads/1/3/0/4/130490006/398324361c170.pdf
    • https://tijomodu.weebly.com/uploads/1/3/0/3/130379105/26af709060.pdf
    • http://mujekomuvi.malka-cc.com/uploads/2020/01/27/fodolibalamat.pdf
    • http://brookeholden.com/uploads/1/3/0/5/130588595/5964819.pdf
    • http://msportsix.com/uploads/1/3/0/5/130588775/eadf008.pdf
    • https://nutejenubexejaf.weebly.com/uploads/1/3/0/2/130289154/160657.pdf
    • https://jupedisa.weebly.com/uploads/1/3/0/5/130541763/9619067.pdf
    • http://gritnursingreview.ca/uploads/1/3/0/5/130551258/vefonokabop-vowedawaxoki-jajotulexerod-jolebusemuwas.pdf
    • http://mil-algorithm.com/uploads/2020/01/28/lulezije.pdf
    • http://advicelogic.net/uploads/1/3/0/2/130274322/konud.pdf
    • http://kbp-wichita.com/uploads/1/3/0/6/130604428/xiwev_wasut.pdf
    • http://addaihealthedu.net/uploads/1/3/0/2/130288419/wadun-xosufesipa.pdf
    • http://kpeggphoto.com/uploads/1/3/0/4/130483868/jafimuja.pdf
    • http://filmliteracyeurope.org/uploads/1/3/0/3/130313046/7585149.pdf
    • http://degosidu.netto-tc.ru/uploads/2020/01/27/8995146.pdf
    • http://gbwbathsponges.com/uploads/1/3/0/3/130313284/9d9a3d7.pdf
    • http://jioulian.com/uploads/1/3/0/4/130483587/d4c5f823f5085c.pdf
    • http://bardswine.com/uploads/1/3/0/2/130288317/39710.pdf
    • http://bowo.faithmirror.com/uploads/2020/01/29/gifewo_rususunatune_vadosenekep_delunubez.pdf
    • http://brittanygrahamrealestate.com/uploads/1/3/0/5/130551129/womusoze.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/2/130274258/130274258.html#edzie+varskvlavi+sheni
    • http://bowo.faithmir

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001367.bin
a00c7e0850e8967ea92c5b7ee16f4ddfe0586958c65f19d5daaa8af1e7b59039		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1367 7356 bytes
font_01_sfnt_off0001085f.bin
51a158895e300be189c3e93e3e06c6dba20083732fc819e976afdd1d73bc806b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1085F 19980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.