Malicious PDF — malware analysis report

Static analysis result for SHA-256 daa98a8ff2ac7f48…

MALICIOUS

PDF

63.7 KB Authoring application: Scribus
MD5: 7fecb185eecb0f11b1c7c5b43799b154 SHA-1: bb82375bc59b2c10d509f8dfe896dea7dec1b95a SHA-256: daa98a8ff2ac7f48068831eb17615c220e3d4db3770436f9ceca76c3bc1f63b3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for PDF_SEO_LINK_FARM, indicating a mass of external PDF links. This suggests the file's primary purpose is to act as a link farm, likely for SEO manipulation or to redirect users to malicious content hosted on domains such as www.thesportschampishere.com. The ClamAV detection further supports its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.thesportschampishere.com/uploads/1/3/0/6/130639841/14b17b6bc8478cf.pdf
    • http://profisi.eu/uploads/1/3/0/7/130739499/5983081.pdf
    • http://geelongtreeservice.com.au/uploads/1/3/0/4/130476013/vejazotox.pdf
    • http://northshoreplaytherapy.com/uploads/1/3/0/7/130775401/4c86c4a9c6b2.pdf
    • http://questforreadingsuccess.com/uploads/1/3/0/8/130814469/jarumam.pdf
    • http://www.zenaquascapes.com/uploads/1/3/0/2/130287445/2145128.pdf
    • http://projectindigo.co/uploads/1/3/0/6/130620265/rozuwapeger-wazimuxiz.pdf
    • http://inklingsacademy.net/uploads/1/3/0/7/130739740/6730919.pdf
    • http://alicezeng.com/uploads/1/3/0/5/130541313/a10f7a.pdf
    • http://callncard.com/uploads/1/3/0/5/130551692/d2a2c.pdf
    • http://kaiauluconnectors.com/uploads/1/3/0/6/130621657/dofobo_rimiba_fanejubino.pdf
    • http://rechtspraak-republieknl-aarde.space/uploads/1/3/0/5/130540507/zalapewute-texede-metunijavub-monumu.pdf
    • http://www.fatherhoodandfamily.com/uploads/1/3/0/6/130639922/2722621.pdf
    • http://kartell.com.vn/uploads/1/3/0/3/130323186/ganegifexurezaj.pdf
    • http://msiclick.com/uploads/1/3/0/3/130313484/8652141.pdf
    • http://mail.patwinslow.com/uploads/1/3/0/3/130313144/lipef.pdf
    • http://pomp5.pleasingfood.com/uploads/1/3/0/2/130288644/130288644.html#akbar+aur+birbal+ki+kahani+video+mein

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067f4.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67F4 1388 bytes
font_01_sfnt_off0000723f.bin
7acc38936266b97d5820fd4075e010aaf9adeaf2e218d37adcfdb3db4e467360		 pdf-font-stream PDF embedded font (sfnt) at offset 0x723F 17704 bytes
font_02_sfnt_off0000a1be.bin
046f3dbbe2ecab5a52ee0161d9fccaa9e77e1a546513e91bb67b6cd4f92fafe1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA1BE 7052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.