Malicious PDF — malware analysis report

Static analysis result for SHA-256 dafe6793004bfd3a…

MALICIOUS

PDF

44.5 KB Authoring application: Smallpdf Desktop
MD5: 482434d1772ecae71a155047e33d3306 SHA-1: 84be9dd9bf8115b4527f4f10871b36907f8022d1 SHA-256: dafe6793004bfd3a2c9c792bbccaf36ade36a750ee9138a4f1e12d0d97aa20b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall'. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wikiresumen.org/uploads/1/3/0/2/130289453/xerapawiloraku.pdf
    • http://www.momsandmiracles.co.za/uploads/1/3/0/6/130621362/4b032364770ea4.pdf
    • http://jazzislife.net/uploads/1/3/0/6/130605217/7869218.pdf
    • http://mosquitobrf.org/uploads/1/3/0/6/130621361/pemaropotupom-dozivodo-tifodesunezag-belonula.pdf
    • http://hulumao-cat.com/uploads/1/3/0/7/130739980/6f0f6308fa9.pdf
    • http://nwm11.club/uploads/1/3/0/7/130738504/1985212.pdf
    • http://www.joelhobom.com/uploads/1/3/0/4/130476492/xofuf.pdf
    • http://mindbodymovementarts.com/uploads/1/3/0/5/130539840/kiviv-bunorifalil-gipirapativ.pdf
    • http://mutiny-cannabis.com/uploads/1/3/0/5/130589249/duzadugivobi_jedarolules_rebifo_zadukojula.pdf
    • http://monextranet.ca/uploads/1/3/0/2/130270866/6d59cb.pdf
    • http://sowoo.co/uploads/1/3/0/8/130874257/kowovosigepufa.pdf
    • http://mrmcgintysmonarchs.com/uploads/1/3/0/6/130621135/zijuwuzeravup.pdf
    • http://mrsac.net/uploads/1/3/0/3/130323392/0e8d9ea5e4.pdf
    • http://chickflickguide.com/uploads/1/3/0/4/130477252/7722624.pdf
    • http://08dushu.com/uploads/1/3/0/6/130620384/7647256.pdf
    • http://blueabydesigns.com/uploads/1/3/0/6/130604848/zawebalorit_xotonagese_toguluz_vixubepadis.pdf
    • http://pogopossum.net/uploads/1/3/0/5/130542971/12f81c28430a4f4.pdf
    • http://fumblydiddles2.com/uploads/1/3/0/8/130814004/juxizokaganatoxuti.pdf
    • http://wrckitfitness.shop/uploads/1/3/0/7/130775215/damezumupul-telim.pdf
    • http://nupelicanparty.org/uploads/1/3/0/8/130813876/c8e3bb37b43.pdf
    • http://teslawirelesspower.com/uploads/1/3/0/2/130273748/4039f215efcdd.pdf
    • http://sales11-sip-phone.pleasingfood.com/uploads/1/3/0/5/130551279/130551279.html#esl+printable+grammar+exercises+for+adults
    • http://mindbodymovementarts.com/uploads/1/3/0/5/130539840/kiviv-bunor

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034c8.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34C8 16204 bytes
font_01_sfnt_off00004cbc.bin
b2cadb2e00d3a1d9b9dccecc699ed3492a3a16081c00f9f9e6208b77db160f18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CBC 8132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.