Malicious PDF — malware analysis report

Static analysis result for SHA-256 e974a1a667bfdd3a…

MALICIOUS

PDF

42.0 KB Authoring application: SWFTools
MD5: 3eecf08677796dfd05f8f7e1a6e4475a SHA-1: d41c808e158a402ad362b3b7842cd2eccfbefd75 SHA-256: e974a1a667bfdd3ac6b4073555ed20264ba6d3fe08d1107994f5b75513bdb1c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted across numerous domains. This behavior is indicative of a link farm or a phishing campaign designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious classification. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maribethshillsdale.com/uploads/1/3/0/5/130551754/voguwejebosor.pdf
    • http://justsweetlovela.com/uploads/1/3/0/3/130379202/dawuwelekixa-pajibizedo-zejel-poxemitafedes.pdf
    • http://www.tiffanynewman.net/uploads/1/3/0/6/130604637/7019eec4ee.pdf
    • http://requiemforhope.com/uploads/1/3/0/3/130379457/def10c1.pdf
    • http://recommended-buys.com/uploads/1/3/0/6/130604229/neradurarax.pdf
    • http://www.banksgroupllc.net/uploads/1/3/0/8/130813897/9531928.pdf
    • http://scientificintl.com/uploads/1/3/0/4/130436209/3017742.pdf
    • http://treymoore.net/uploads/1/3/0/7/130776516/1934465.pdf
    • http://odontokidoz.com/uploads/1/3/0/6/130620902/muxowepevexupo.pdf
    • http://forfreedomnow.com/uploads/1/3/0/7/130776476/9701120cc0f.pdf
    • http://tuslawmustangsfootball.com/uploads/1/3/0/8/130813784/5945c9e23a3.pdf
    • http://www.designsbylex.com/uploads/1/3/0/6/130620435/228843.pdf
    • http://mrfeed.org/uploads/1/3/0/7/130775098/ribulasanag.pdf
    • http://douniuniuwanfa.br3h.com/uploads/1/3/0/5/130589199/lovok-tekixukulap-timawitu-gozof.pdf
    • http://bl4kstripe.com/uploads/1/3/0/6/130603676/db55aa16a92c7.pdf
    • http://bellevistaassistedliving.com/uploads/1/3/0/6/130604405/8842f620cfac.pdf
    • http://printcopycards.com/uploads/1/3/0/8/130814516/soribut_pozunubixakelez_mezatixiwevuz.pdf
    • http://greyowlproperties.com/uploads/1/3/0/5/130589156/e7a757d6ece7051.pdf
    • http://1860tea.net/uploads/1/3/0/5/130588988/xukok.pdf
    • http://www.taiwanevent.net/uploads/1/3/0/3/130323235/puwip.pdf
    • http://projectreprise.com/uploads/1/3/0/4/130494172/kivepewevuxopi.pdf
    • http://coopermanselfdefense.com/uploads/1/3/0/5/130540583/jigutaredexoti-zaluxuzare-limabu-pukatiliragedob.pdf
    • http://holoholofuntravel.com/uploads/1/3/0/6/130604161/130604161.html#agenda+2030+y+objetivos+de+desarrollo+sostenible
    • http://scientificintl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004059.bin
c33418cc47f58936fff91896d66735bedc4f5cd0e7777c078f0e0fa5aa74545b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4059 9388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.