Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8314aed6daac29b…

MALICIOUS

PDF

36.7 KB Authoring application: Scribus
MD5: 81952a2f8f1e6b4cc7374d9ba88dfabc SHA-1: bfea1481b63397545362440720b8eb28a5401370 SHA-256: d8314aed6daac29bc9a2068c6799448693da36c974c68a801ccb52297f451178
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a phishing or redirection attempt. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports a deceptive download lure. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' confirms the malicious nature. The embedded URLs likely lead to further malicious content or phishing pages.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fusuzefag.youthinkbrand.top/uploads/2020/01/29/7880317.pdf
    • http://remade.info/uploads/1/3/0/5/130590373/d73a9722182.pdf
    • http://sturminsternewtonplan.com/uploads/1/3/0/6/130604878/8522501.pdf
    • http://transhumancias-voyages.com/uploads/1/3/0/3/130313141/3077941.pdf
    • http://uprradiology.org/uploads/1/3/0/6/130603965/5916999.pdf
    • http://lamu.kuhni-msc12.icu/uploads/2020/01/28/mevizosedadugo-rewutuzabezunu-ruliz.pdf
    • http://oaktreephotos.com/uploads/1/3/0/3/130323315/nemopezajem_parinirasazuzis_xofuwiduxufa.pdf
    • http://thefantasyparis.com/uploads/1/3/0/4/130478110/c7b065.pdf
    • http://alebalieiro.cl/uploads/1/3/0/6/130604248/4833997.pdf
    • http://shsucommunityconnections.com/uploads/1/3/0/5/130543285/xaligeza_vujigok.pdf
    • http://nobo.rucoolcash.xyz/uploads/2020/01/28/4fc2afaaf3d6ba2.pdf
    • http://crowhavenpumpkins.com/uploads/1/3/0/5/130550666/2209972.pdf
    • http://pacificcoastbuyers.com/uploads/1/3/0/5/130551112/sejupozomik.pdf
    • http://morewirehouseandanimal.com/uploads/1/3/0/5/130544136/1500422.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/6/130639298/130639298.html#avg+removal+tool+free++for+xp

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000141f.bin
31807f57c7d959ced021ad83fdb0a3f90fac26014ce89ce67d6c004f981a3612		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141F 8456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.