Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc65f6fc1331648a…

MALICIOUS

PDF

55.9 KB Authoring application: Scribus First seen: 2020-09-07
MD5: 65bc5e828901678675fc77d837421846 SHA-1: 8c1db98d83e7d12297db102ab462c79768cc8e44 SHA-256: dc65f6fc1331648abaa3f227fd66c2c06399ddde778c0187b1027715ead7c37a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation campaign. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rtpliving.com/uploads/1/3/0/4/130476766/f583cfbaa4c4.pdf
    • http://www.chris-roach.com/uploads/1/3/0/6/130639382/kamuvezexorose.pdf
    • http://bailemout.com/uploads/1/3/0/9/130969214/rixomujirud_najulurivoxeru_gobegej.pdf
    • http://www.smooshphotobooth.com/uploads/1/3/0/2/130271148/a813e99c24f0d.pdf
    • http://startapper.com/uploads/1/3/0/6/130640022/574560a2755bf.pdf
    • http://lynnbconsulting.com/uploads/1/3/0/7/130739621/bububijogere-pudak.pdf
    • http://revolista.net/uploads/1/3/0/6/130620956/wosefujigiger.pdf
    • http://chinwhiskers.com/uploads/1/3/0/4/130483385/7125095.pdf
    • http://menscentralinmatesearch.com/uploads/1/3/0/4/130476294/7b74bb8a.pdf
    • http://navslaborers.org/uploads/1/3/0/2/130289523/didudiwama.pdf
    • http://www.egologic.co.uk/uploads/1/3/0/7/130775299/2312351.pdf
    • http://shamelessprofit.com/uploads/1/3/0/4/130435771/kakejurokego_situsorodoxe_wiwolidam_jazupufiwatane.pdf
    • http://mx.plastecprofiles.com/uploads/1/3/0/2/130272364/329932ad41562f.pdf
    • http://nadinebrockel.de/uploads/1/3/0/7/130776123/kawudosamugitofudesu.pdf
    • http://webmail.clickingcanvases.com/uploads/1/3/0/9/130969580/zeroruruvebopijuwop.pdf
    • http://rockandrowel.com/uploads/1/3/0/3/130313307/130313307.html#acidosis+causes+oxyhemoglobin+dissociation+curve

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c25.bin
1a48559509f7f75063a877bee3d72c2f3225c728dd953cebf65f9a5167f6cbd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C25 16036 bytes
font_01_sfnt_off00007062.bin
76b5675454b46df54b5e32020f65a8aa4f3eb342769f1868dcf1b9b009f9bfec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7062 2900 bytes
font_02_sfnt_off00007d48.bin
9de69953304a097a0af065ce5449d575a44ec3cd86ca672a5ba8017ac2bd7887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D48 9068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.