Malicious PDF — malware analysis report

Static analysis result for SHA-256 d75dad4dae441f81…

MALICIOUS

PDF

39.2 KB Authoring application: Serif PagePlus
MD5: 7079ffcd0b394d1f3f0dcbc89b1c0e00 SHA-1: 5b5633a53817faf6b05a7fe748581b306cf83729 SHA-256: d75dad4dae441f81d37506045437e3d53626935d8896d5869e81f2a8d622d977
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF documents hosted across various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' reinforces the malicious nature of this file. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.brettrichardsmith.com/uploads/1/3/0/8/130814902/9f2b6df.pdf
    • http://berryhillheights.com/uploads/1/3/0/8/130814553/xuximukokero.pdf
    • http://mediacast365.com/uploads/1/3/0/6/130603983/892730.pdf
    • http://michelziesecke.com/uploads/1/3/0/7/130776486/xogasuze_zojupapirej_japelurix.pdf
    • http://newkids.co.uk/uploads/1/3/0/4/130483903/1349883.pdf
    • http://drtoxie.com/uploads/1/3/0/5/130539818/cb632180d267c03.pdf
    • http://nysmaplepartridge.com/uploads/1/3/0/2/130288458/jinolowavogaxanumu.pdf
    • http://nullaginecrc.net/uploads/1/3/0/3/130313183/3510400.pdf
    • http://ns2.21daychallenge.net/uploads/1/3/0/6/130603945/1387428.pdf
    • http://danwalkerwoodworks.com/uploads/1/3/0/5/130543941/19fd3fa.pdf
    • http://skmarketing.com/uploads/1/3/0/7/130738803/7357287.pdf
    • http://diamondviewfarms.com/uploads/1/3/0/3/130313368/f94fc893e42c51.pdf
    • http://thinkingfunny.info/uploads/1/3/0/4/130483302/wiregenekidizupa.pdf
    • http://stampedconcretemiami.com/uploads/1/3/0/3/130313272/samogolo_pifimeri.pdf
    • http://www.bennettdrawing.com/uploads/1/3/0/2/130291492/nixulinugavuwemegum.pdf
    • http://sugarmommascookieco.com/uploads/1/3/0/2/130287514/vodorojabejazem-fasuxuxeb.pdf
    • http://chiefcreativealtruist.com/uploads/1/3/0/6/130621695/jamivokatubanu.pdf
    • http://findmoreroom.com/uploads/1/3/0/7/130740012/wetaduta_xuvutunot_wexejes.pdf
    • http://theatricalthursday.com/uploads/1/3/0/6/130640155/nawisudonuvon.pdf
    • http://aboutusinvestment.com/uploads/1/3/0/6/130621362/5547943.pdf
    • http://cabinet-replacement.com/uploads/1/3/0/4/130476322/9110440.pdf
    • http://goodshepherdanimals.club/uploads/1/3/0/2/130291029/buvup.pdf
    • http://warriorstrongadventures.com/uploads/1/3/0/8/130874180/8914208.pdf
    • http://74-123-76-50.mgwnet.com/uploads/1/3/0/7/130775587/130775587.html#male+gametogenesis+and+germline+specification+in+flowering+plants
    • http://www.bennettdrawing.com/uploads/1/3/0/2/130291492/ni

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000375d.bin
d1e700cf770057b500087cc9e348e3deb4d5308e98c3e2907f5a01c083a2622f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x375D 7708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.