Malicious PDF — malware analysis report

Static analysis result for SHA-256 d94620efaf64a506…

MALICIOUS

PDF

38.1 KB Authoring application: Inkscape
MD5: 44a6ebc6682b8c6574e89ac3fb98d141 SHA-1: 496b75469e4a8e7a9fe2ed748d02746030a5af88 SHA-256: d94620efaf64a5065f19c03502747057216af3b12f9fa92143d1fcbb9f0e3da8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The document body content appears to be corrupted or truncated, preventing a deeper analysis of its specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.halespinosa.com/uploads/1/3/0/6/130620274/2d7d77e1c7.pdf
    • http://businessbella.com/uploads/1/3/0/7/130740338/muwovif.pdf
    • http://www.bethgarramoneross.com/uploads/1/3/0/2/130271128/78914c182.pdf
    • http://suffolkimplant.com/uploads/1/3/0/2/130288552/kiwonaseveduvo_jilelud_pigipizojem_tetesifox.pdf
    • http://delbertsonrealty.com/uploads/1/3/0/6/130639998/feb78df.pdf
    • http://mindfulsouthcarolina.com/uploads/1/3/0/4/130490181/dilibufawujub-vuboriwosel-tevotiralinu-mirogoxomaluvil.pdf
    • http://margaritavibe.com/uploads/1/3/0/3/130323818/zawanaxoriz.pdf
    • http://citywidevalet.com/uploads/1/3/0/2/130289700/d29d4b19.pdf
    • http://taoshiatsuvancouver.com/uploads/1/3/0/5/130588710/satom-nojerubav-kujovofi-xadareka.pdf
    • http://barnyardbidders.com/uploads/1/3/0/6/130604358/mogikokafunimexuvo.pdf
    • http://rrleads.ca/uploads/1/3/0/3/130379423/5f0ce84bcf.pdf
    • http://discoverhomestores.com/uploads/1/3/0/6/130604287/regis.pdf
    • http://sunsteellogistics.com/uploads/1/3/0/7/130739000/5358979.pdf
    • http://sarahstrasser.net/uploads/1/3/0/2/130289729/nuwevitowipe-lozumabemore-ruvumukawexen-xotimonop.pdf
    • http://funeralderangements.com/uploads/1/3/0/2/130274355/koxoni.pdf
    • http://factorygeek.com/uploads/1/3/0/5/130540604/4918984.pdf
    • http://www.freshnewnews.com/uploads/1/3/0/4/130483783/cd7a00.pdf
    • http://50klawn.net/uploads/1/3/0/6/130622093/dovuvixet_mavodopax_sosug_samepem.pdf
    • http://karpekanemwines.com/uploads/1/3/0/7/130775456/8817e1.pdf
    • http://www.eta.phirhoeta.org/uploads/1/3/0/5/130551981/4710481.pdf
    • http://www.carolsonleon.ca/uploads/1/3/0/4/130478314/2466fee80.pdf
    • http://flowercitymushrooms.com/uploads/1/3/0/6/130639721/nazasuzikode-niximoze-zoreg-puxoruvoze.pdf
    • http://domicilia2.com/uploads/1/3/0/5/130588948/xunupodo.pdf
    • http://bozhidaoyulechengguanwang.br3h.com/uploads/1/3/0/4/130483397/130483397.html#the+maze+runner+book+1+free
    • http://www.bethgarramoneross.com/upload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030ea.bin
8a4be9062177188810f7bad8a82ffb626928cbef2a75e36afd61d6de0ffcab4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30EA 8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.