Malicious PDF — malware analysis report

Static analysis result for SHA-256 d59b5a1702494c37…

MALICIOUS

PDF

36.8 KB Authoring application: Serif PagePlus
MD5: 89a5bd73dcc0e537c7e26fb90079457f SHA-1: 3029adae9b5fa0b5bcad7041c6b06e5d9d6b3b9d SHA-256: d59b5a1702494c37a76b3f6493afd0ad5f9e2f7b1b1d16f6651739eac2271f0a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, indicating a link farm strategy. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic redirection purpose. The heuristic 'PDF_SEO_LINK_FARM' confirms the mass linking behavior, with the primary domain being luminousplaceproject.org. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://luminousplaceproject.org/uploads/1/3/0/6/130621893/2188609.pdf
    • http://webdisk.q-four.com/uploads/1/3/0/6/130640142/bizuwororixa.pdf
    • http://www.stephaniehazel.com/uploads/1/3/0/3/130313507/vulimikonap.pdf
    • http://onceuponapage.net/uploads/1/3/0/6/130621167/buxusenov-zenov-dozivujevas-juxozumarolabop.pdf
    • http://draclaudiagarfunkel.com/uploads/1/3/0/7/130739016/2644378.pdf
    • http://www.passthecoco.com/uploads/1/3/0/4/130476572/38946.pdf
    • http://plania.it/uploads/1/3/0/6/130620334/refapejoluxakipaw.pdf
    • http://hrsdriveways.co.uk/uploads/1/3/0/3/130313491/mofiremedos-supevesutiwamos-gavuwagaguvagu-jalemaregapopa.pdf
    • http://believe2achieve-pt.com/uploads/1/3/0/7/130738989/6565195.pdf
    • http://good.tax/uploads/1/3/0/7/130776626/wixovonozejevaxijoxa.pdf
    • http://tools.parislaserandskin.com/uploads/1/3/0/7/130775573/mobarada.pdf
    • http://flipstylezdesigns.com/uploads/1/3/0/8/130813966/9436c4e15362c1.pdf
    • http://nzspirituality.com/uploads/1/3/0/4/130483684/7351990.pdf
    • http://constructionadvisorsgroupllc.com/uploads/1/3/0/2/130270798/4973840.pdf
    • http://lombardypartners.com/uploads/1/3/0/4/130476145/b17bb12be8cb.pdf
    • http://smithgamecalls.com/uploads/1/3/0/9/130969458/davetikazokezonikum.pdf
    • http://paxintrantibus.org/uploads/1/3/0/2/130288563/d576a2b7522a.pdf
    • http://pof-liveaddcalls.com/uploads/1/3/0/7/130776640/e4502.pdf
    • http://adrianoconnor.com/uploads/1/3/0/8/130813710/tobim.pdf
    • http://www.sacredlivingmovementnewengland.com/uploads/1/3/0/6/130605182/muvefezelijowobaloli.pdf
    • http://three-ps-in-a-pod.com/uploads/1/3/0/8/130874088/130874088.html#icd+10+code+for+brachial+artery+pseudoaneurysm
    • http://constructionadvisorsgroupl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003058.bin
a2fd2d0e4ed2fd2345a7150d21c1a0800c7a48eeed2b2d3791fff2450f6628b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3058 7704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.