Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6b8f0b4f7591a40…

MALICIOUS

PDF

48.6 KB Authoring application: Inkscape
MD5: 8de3ffcd7dc2ef42ba241fd740f2a856 SHA-1: 49df055ec9143acf89df71a0e0191dc929866dc3 SHA-256: e6b8f0b4f7591a40fac91e51500ad2b7c19be5e38e6eb753d009342796b9dcc5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, a common technique for SEO poisoning or phishing campaigns. The document body contains a mix of scientific text and the extracted URLs, suggesting a lure to disguise the malicious intent. The primary attack pattern involves directing users to a network of linked PDF files hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wildtundraquest.com/uploads/1/3/0/5/130546759/5710386.pdf
    • http://danhixsonphotography.com/uploads/1/3/0/3/130379506/gubibapuxem.pdf
    • http://conceptelectricalestimating.com/uploads/1/3/0/3/130313755/1367b844cc0.pdf
    • http://karcar.ru/uploads/2020/01/29/4430981.pdf
    • http://jewelleryforgentlemen.com/uploads/1/3/0/4/130476873/5f343165addd.pdf
    • http://dasubo.the-future-company.com/uploads/2020/01/27/rijexowedaw.pdf
    • http://alwayscut.com/uploads/1/3/0/5/130588703/wukumowozobupa_pedurefaku_kuxuduwix_ruzasixo.pdf
    • https://zobegubitabid.weebly.com/uploads/1/3/0/2/130289204/wajoferirajamifor.pdf
    • http://rimefubit.new-m2.ru/uploads/2020/01/28/618655.pdf
    • http://sasosib.lux-scent.ru/uploads/2020/01/27/datebejix.pdf
    • http://juxejogom.iqrender.ru/uploads/2020/01/29/zebipezezu.pdf
    • http://thepaperworkstudio.com/uploads/1/3/0/5/130545784/9793316.pdf
    • https://jogomelug.weebly.com/uploads/1/3/0/5/130539783/dopemigotokamofu.pdf
    • http://zama.uveliria.com/uploads/2020/01/27/ae5d0c3e04bd8.pdf
    • http://papipubi.nttrus.com/uploads/2020/01/27/06f7593348e7d28.pdf
    • http://friendsoftheyaa.org/uploads/1/3/0/4/130478106/fafuj_bamugiruxefipe_gawusitelop_xuzojufozotetaz.pdf
    • http://annotalegal.com/uploads/1/3/0/4/130476738/130476738.html#blastocyst+formation+and+development

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001504.bin
c54802d6208c7b70b97bbb6bf1323c9fdb60d87facc90c9e27e94147e160ff13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1504 8368 bytes
font_01_sfnt_off00007d52.bin
81296e72a58dff93921429a15258965fb8ac09f125cc6438f4f2d2b61392d5e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D52 4544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.