Malicious PDF — malware analysis report

Static analysis result for SHA-256 e35f39af3836295f…

MALICIOUS

PDF

46.7 KB Authoring application: GIMP
MD5: 8192ffa6dd2675a112adecd34def56e0 SHA-1: 0595711cf072662aac3ce7a707ab81e4e10c9cd2 SHA-256: e35f39af3836295fab49c56037f5f3323143da70c8ec73ecbc04d4f9db9c5022
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a PDF_SEO_LINK_FARM heuristic firing, indicating the presence of numerous external PDF links, with the primary malicious URL being http://gosir.pweuxk.xyz/uploads/2020/01/28/pojonitaxezotudu.pdf. The document body, though heavily obfuscated, suggests a lure related to a 'GIMP Draw bolt template'. The combination of these factors strongly suggests a phishing or malware distribution campaign using a link farm to redirect users to further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gosir.pweuxk.xyz/uploads/2020/01/28/pojonitaxezotudu.pdf
    • http://connectionsthruart.com/uploads/1/3/0/2/130289722/dokesuwapeme-vufiwopuveziru.pdf
    • http://nezelij.healthmonitoring.tech/uploads/2020/01/28/zumezedub.pdf
    • http://novaruswc.com/uploads/1/3/0/5/130539046/vezedusufukided_vofakedalaxedin_pagadawap_nunupitexipapud.pdf
    • https://lobenibawibi.weebly.com/uploads/1/3/0/5/130551266/boritimibivaluk_jotobugutanop_kadorafom_mefak.pdf
    • https://vogotevuju.weebly.com/uploads/1/3/0/5/130589239/8599429.pdf
    • http://rbrvocal.weebly.com/uploads/1/3/0/4/130435960/duvuwatofaziba.pdf
    • http://toteju.0406shopps04.fun/uploads/2020/01/29/2936746.pdf
    • https://xatukoronixelaw.weebly.com/uploads/1/3/0/5/130590677/8481825.pdf
    • http://marketing-digital.ru/uploads/2020/01/27/fuxekurefodoje.pdf
    • http://topmuscle.ru/uploads/2020/01/28/2769732.pdf
    • http://portraitsformodernpeople.com/uploads/1/3/0/2/130270980/rabumojajos-kunenuka.pdf
    • http://contractgovernmentservices.com/uploads/1/3/0/5/130540017/xamen.pdf
    • http://bupowew.comprofi.ru/uploads/2020/01/28/810fd01ef5342d.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/3/130313643/130313643.html#draw+bolt+template
    • https://xatukoronixelaw.weebly.com/uploads/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001597.bin
3a636ad1db1c165612dbf54a3bf03bca961f474ff7833a708759b25e68988883		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1597 11496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.