Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2ff0a0730ea9a83…

MALICIOUS

PDF

92.6 KB Authoring application: Serif PagePlus
MD5: 907d356711881ad4efc38b5c39a74a7c SHA-1: 8a312c64a8016da69b79813a961ddef271a04084 SHA-256: e2ff0a0730ea9a83a0b10caf0730ecb55d687d6af1fb69e7a67949891b8e2661
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, indicative of a link farm or SEO manipulation tactic. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely to redirect users to phishing or malicious content. The document body, though heavily obfuscated, contains text related to religious practices, suggesting a lure to disguise the malicious nature of the links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vietcryptonews.com/uploads/1/3/0/4/130477152/5350989.pdf
    • http://mrlob9000.net/uploads/1/3/0/7/130776114/2815193.pdf
    • http://meowstories.us/uploads/1/3/0/2/130292110/2055186.pdf
    • http://voyagr.net/uploads/1/3/0/6/130605168/fd7dbb5.pdf
    • http://andreaortega.com/uploads/1/3/0/6/130604006/mezefe.pdf
    • http://mollysteinwald.org/uploads/1/3/0/6/130640049/gipiwogavuj.pdf
    • http://balihaidreams.com/uploads/1/3/0/6/130620813/758db.pdf
    • http://buzzfanzine.com/uploads/1/3/0/7/130739475/ed87d60301.pdf
    • http://platinumupholstery.com/uploads/1/3/0/8/130813478/d193e6fabeb9.pdf
    • http://deannamcleod.com/uploads/1/3/0/6/130604448/kekab.pdf
    • http://hostmaster.exoleader.com/uploads/1/3/0/7/130739886/e772006d9.pdf
    • http://ru4christ.net/uploads/1/3/0/6/130639669/c2930bf.pdf
    • http://2ndfromthesun.com/uploads/1/3/0/6/130639797/semiselavef_rezaf.pdf
    • http://eliteculinarychef.com/uploads/1/3/0/6/130620209/tovamuze.pdf
    • http://myangelsandcherubs.com/uploads/1/3/0/6/130604764/7706709.pdf
    • http://autumnhospitality.com/uploads/1/3/0/5/130546076/4278025.pdf
    • http://berea-associates.com/uploads/1/3/0/5/130546971/ce5ea36b4.pdf
    • http://mail.commonsensepress.com/uploads/1/3/0/6/130621901/moradapatewijezijige.pdf
    • http://bouvardtavern.com/uploads/1/3/0/7/130775821/0ffb8f7d60c2c.pdf
    • http://xruca0.salon225.com/uploads/1/3/0/7/130739591/130739591.html#namaz+ki+surah+padhne+ka+tarika

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbfb.bin
d71621eb3bff8ac6942496ac6d5049f6da1a7d3b19ff66b7601d0e45ae01c893		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBFB 16144 bytes
font_01_sfnt_off0000d0a0.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0A0 1388 bytes
font_02_sfnt_off0000dba0.bin
45217e6fee0cb984a86132db5cf08ccd9c045786f931f8a80e08da439b10efbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBA0 19140 bytes
font_03_sfnt_off00010e05.bin
d9afa327bd41d27f715fdcda7feaa0274efad3ffc6be0e26916746272e4585c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E05 8468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.