Malicious PDF — malware analysis report

Static analysis result for SHA-256 e24aaa6356c0adac…

MALICIOUS

PDF

36.7 KB Authoring application: Solid Converter PDF
MD5: 62d9428097ffb27cf8c23c33e7016da7 SHA-1: 5948333e26e581a2a39b368d39ca7dbc0a02b911 SHA-256: e24aaa6356c0adac0e7e5cc77f2ea791984ebd6143418c5381f8494720514c32
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files on various domains, indicative of a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body text appears to be corrupted or obfuscated, preventing a clear understanding of its direct lure, but the overall structure points to a malicious distribution network.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chrisministries.com/uploads/1/3/0/6/130605028/mubixijisizitexaf.pdf
    • http://betteryoungminds.org/uploads/1/3/0/7/130739094/wiberulobod.pdf
    • http://learnabundance.com/uploads/1/3/0/5/130539492/mifajib.pdf
    • http://costaricapremiumrealtors.com/uploads/1/3/0/7/130739004/3165767.pdf
    • http://theoxfordhouseofbeauty.com/uploads/1/3/0/6/130605332/7199487.pdf
    • http://tolandvideo.com/uploads/1/3/0/4/130489909/5804260.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/6/130620430/130620430.html#ips+sample+verbal+reasoning+practice+paper+answers

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010eb.bin
17051bed96ca041ccca234c1795723129ffeb607f8ed140e56285f8370f35c6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EB 7896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.