Malicious PDF — malware analysis report

Static analysis result for SHA-256 e46f951b7db475b2…

MALICIOUS

PDF

41.8 KB Authoring application: Poppler-utils
MD5: 6f12a76542830eb19a95fbe332da4adc SHA-1: 950ab0cedd4754e4f11b8deb6602bd62753e309e SHA-256: e46f951b7db475b2e07604b701872a7511c6f20f8bfd012afe2641be1a4702c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall. The primary function appears to be directing users to a vast network of PDF files hosted on various domains, likely for SEO spam or to distribute further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mlj-law.com/uploads/1/3/0/6/130639867/wuroluwul_damop_gakijigeveso.pdf
    • http://fastblueprints.com/uploads/1/3/0/6/130620209/roxapekuzexig-povifo.pdf
    • http://sithicas.com/uploads/1/3/0/6/130604640/6852422.pdf
    • http://mssciencefest.com/uploads/1/3/0/4/130435781/robigefiwu.pdf
    • http://natalie-coppola.com/uploads/1/3/0/4/130483385/buwike.pdf
    • http://kimberlysfarmsflowers.com/uploads/1/3/0/6/130639472/dufiwezexekisubitode.pdf
    • http://restapi.org/uploads/1/3/0/7/130740385/dakatokiviwubog-japifovanufuti-pevisemamaxej-xisok.pdf
    • http://poorcomics.com/uploads/1/3/0/8/130814531/117315.pdf
    • http://oakdellfarm.com/uploads/1/3/0/7/130738635/b1bdfeb463.pdf
    • http://alexandremartorano.com/uploads/1/3/0/5/130538994/zutugulufabat.pdf
    • http://ygautos.com/uploads/1/3/0/6/130621048/7761402.pdf
    • http://fitnessforsavages.com/uploads/1/3/0/6/130604446/gukuduzugojelif_jabexubulamuja_xibifokudelokix.pdf
    • http://relationaldharma.org/uploads/1/3/0/6/130621890/f05d231e59c2bed.pdf
    • http://nicolegoodrich.com/uploads/1/3/0/4/130483963/rofakimotilobuleziwu.pdf
    • http://summitcrest.ca/uploads/1/3/0/5/130588272/rovimejuvomud.pdf
    • http://brennansbeadsandbaubles.com/uploads/1/3/0/3/130323997/senedaja-timadadig-kajakav-laliso.pdf
    • http://pelledolce.net/uploads/1/3/0/3/130313200/weforamom_rorama_medawe_bovafozaruxudu.pdf
    • http://zazzletools.com/uploads/1/3/0/5/130589331/tewivafusokejid.pdf
    • http://36lat.com/uploads/1/3/0/7/130775856/pasafalut_bideki_nawerewanida_razawenoduw.pdf
    • http://zziggy.com/uploads/1/3/0/7/130776399/butovum.pdf
    • http://scricco.org/uploads/1/3/0/4/130477346/4c85f7af.pdf
    • http://shalongguojiclubsxianjinwang.br3h.com/uploads/1/3/0/2/130289235/130289235.html#anchor+bolt+specification+section
    • http://site6961
    • http://site69615.mywhc.ca/uploads/1/3/0/3/130323515/jitim.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003560.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3560 2616 bytes
font_01_sfnt_off000040fb.bin
b87bfe07a292b15131dd946a06a52cea4bed4a2fb571d95770299a00c4433530		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40FB 8080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.