Malicious PDF — malware analysis report

Static analysis result for SHA-256 d79d6b6becbe0b74…

MALICIOUS

PDF

38.7 KB Authoring application: Poppler-utils
MD5: 62c835073d3c4f66f7a57731be8f6e43 SHA-1: 93f4fe5e2bfc26fc285c29ce57dfe84d93517c3b SHA-256: d79d6b6becbe0b744bf5ee1b429ea6bdd1a88cf7ae4b77aff094487d2089ffe7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, indicating a link farm designed to distribute malicious content. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may also contain instructions for executing commands using Windows scripting tools, potentially for further payload delivery or system compromise. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blessedeventchildbirthservices.com/uploads/1/3/0/2/130272985/5454622.pdf
    • http://veronikasafarova.com/uploads/1/3/0/6/130604516/7040388.pdf
    • http://pvdloop.com/uploads/1/3/0/7/130739366/1826935.pdf
    • http://sodizin.net/uploads/1/3/0/3/130379528/5479254.pdf
    • http://www.andrewcarlosarchitect.com/uploads/1/3/0/7/130775441/0cc6d98.pdf
    • http://napervillebedbugs.com/uploads/1/3/0/6/130639867/pasib.pdf
    • http://jimbits.net/uploads/1/3/0/4/130483479/91caf956d.pdf
    • http://nashvillerollingpincompany.com/uploads/1/3/0/6/130640027/kofuxibumex-dazopaj.pdf
    • http://maconwebdesign.com/uploads/1/3/0/7/130775694/gurimakonid-ratowavujinag.pdf
    • http://neurotherapycenterva.com/uploads/1/3/0/5/130551219/b0044.pdf
    • http://mengolietrebbi.com/uploads/1/3/0/7/130739867/7226f468.pdf
    • http://values4veterans.org/uploads/1/3/0/9/130969551/1279416.pdf
    • http://kronx.com/uploads/1/3/0/4/130488345/c3864cb76be0.pdf
    • http://natethehitmaker.com/uploads/1/3/0/6/130605383/lebufiwijewifu_womufubur.pdf
    • http://newglasgowmassage.ca/uploads/1/3/0/6/130605462/8ff89ab6aa568.pdf
    • http://thechrischapman.com/uploads/1/3/0/2/130288684/patiwemuku.pdf
    • http://adcscripting.online/uploads/1/3/0/5/130550750/c0a94b64392.pdf
    • http://nkshoporlando.com/uploads/1/3/0/3/130323409/3531131.pdf
    • http://iteropartnerdentallaboratory.com/uploads/1/3/0/5/130550675/3e7f0d.pdf
    • http://equivesthq.com/uploads/1/3/0/4/130483086/vagabizuru.pdf
    • http://nolimitexcavating.com/uploads/1/3/0/6/130621098/86490af429b.pdf
    • http://eaglemusic.us/uploads/1/3/0/5/130551001/rusagikagumusubazas.pdf
    • http://4kbacks.com/uploads/1/3/0/6/130639300/jejopufix_gigivosawalafog.pdf
    • http://m999g.salon225.com/uploads/1/3/0/5/130589274/130589274.html#aeneid+book+3+short+summary

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000362b.bin
e3dad1613ea9eeab07fd827503ee09067b146d7905415be0cf05af6b768a468f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x362B 7504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.