Malicious PDF — malware analysis report

Static analysis result for SHA-256 df21c1a95878e118…

MALICIOUS

PDF

49.8 KB Authoring application: Karbon
MD5: 8ceee00e3b743eb3d1300d17b3267337 SHA-1: b4ac8845756da28f6128d796e87f174b6b044d32 SHA-256: df21c1a95878e11823db55e8cd2683546c87d3e5d8cd33a63c5da20639a8a274
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This technique, identified as PDF_SEO_LINK_FARM, is commonly used to distribute malicious content or conduct phishing attacks by overwhelming search engines with links to compromised or malicious sites. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports the malicious nature of this file.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://campkennedy.com/uploads/1/3/0/7/130776344/3015a0b00bb48.pdf
    • http://gogreenofficespace.com/uploads/1/3/0/6/130639027/6070478.pdf
    • http://reliabletrust-translations.com/uploads/1/3/0/4/130488172/d588005b6f.pdf
    • http://repiping.net/uploads/1/3/0/7/130775402/fojekas.pdf
    • http://hurricanecnc.com/uploads/1/3/0/5/130542822/4048596.pdf
    • http://mountainvilleumc.com/uploads/1/3/0/3/130323116/gimekewabetag.pdf
    • http://roryward.com/uploads/1/3/0/4/130483202/36c45.pdf
    • http://solautomobiles.com/uploads/1/3/0/7/130739967/mogiwadobu.pdf
    • http://ontoy.bpmtc.com/uploads/1/3/0/9/130970023/fa445a3a.pdf
    • http://buildtheyoungbench.com/uploads/1/3/0/3/130323148/lufaritax.pdf
    • http://ammavegkitchen.com/uploads/1/3/0/3/130313120/4c8297.pdf
    • http://www.playfunproducts.com/uploads/1/3/0/5/130588583/12465dac123abfc.pdf
    • http://bentonstationbaptistchurch.com/uploads/1/3/0/7/130776085/selagitizome-samewodavak.pdf
    • http://agilebreeding.com/uploads/1/3/0/6/130621210/9667136.pdf
    • http://sagerecoverystaff.com/uploads/1/3/0/3/130323400/dokawed.pdf
    • http://www.ashleybae.com/uploads/1/3/0/8/130874189/joguba.pdf
    • http://starmapseries.com/uploads/1/3/0/2/130272342/mozawusaxalu.pdf
    • http://snowmedics.com/uploads/1/3/0/2/130288394/pufemexemisosunezam.pdf
    • http://bonnetcore.com/uploads/1/3/0/6/130605017/9997675.pdf
    • http://avonconsulting.net/uploads/1/3/0/4/130483869/5120995.pdf
    • http://bellecreekresources.net/uploads/1/3/0/7/130775354/muxuxo.pdf
    • http://ashantra.com/uploads/1/3/0/9/130969182/8627152.pdf
    • http://adventure49.pleasingfood.com/uploads/1/3/0/7/130740174/130740174.html#dc+ielts+environment+vocabulary

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045f7.bin
99ce9f39502ee40f4e33c9413acca06506d36480bd8c0d49bffacd00aadb54c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45F7 17372 bytes
font_01_sfnt_off000061d6.bin
7c06010b369e8bbfb2614cfb0e2c0d396e64b3635e0a20e90fb200949c8faada		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D6 8044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.