Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9df2e6c03258101…

MALICIOUS

PDF

36.2 KB Authoring application: Nitro PDF
MD5: 3f4c265eed094f3b86eb145ef8c2787b SHA-1: c572ad77cb9669dacee6bf926ee86ab0b2bc0792 SHA-256: e9df2e6c0325810107f579f10fc9ada38edfe2cb01b47e33b673a98378b42eb4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links pointing to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious classification. The document body itself is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wickedricks.com/uploads/1/3/0/6/130620420/4e542550094b11.pdf
    • http://speculos.ca/uploads/1/3/0/2/130270963/tesonorit.pdf
    • http://www.drewgrahamart.com/uploads/1/3/0/5/130590036/sabijasoruxowaragif.pdf
    • http://findmoreroom.com/uploads/1/3/0/4/130491418/d500c06b33c22.pdf
    • http://pureblissbakeryoc.com/uploads/1/3/0/5/130539084/4fe02420e.pdf
    • http://butterflykissescrafts.com/uploads/1/3/0/3/130324136/afe7a.pdf
    • http://onelasttreat.org/uploads/1/3/0/5/130543148/sofonukabowelom.pdf
    • http://654877700609875573.com/uploads/1/3/0/7/130739423/munugatuganopine.pdf
    • http://www.sanjoselimo.net/uploads/1/3/0/6/130639659/c2d965.pdf
    • http://seldomimages.com/uploads/1/3/0/6/130603874/1776541.pdf
    • http://hykoo.net/uploads/1/3/0/6/130640094/6094987.pdf
    • http://creativeadsolution.com/uploads/1/3/0/4/130483086/7c07413f.pdf
    • http://plushdancewear.com/uploads/1/3/0/8/130815097/fdcba9f7d4f018b.pdf
    • http://promobileroadrepair.com/uploads/1/3/0/3/130323962/295d35c47a646.pdf
    • http://easyrealestatewebsites.com/uploads/1/3/0/5/130550748/xafata.pdf
    • http://letterwrecker.net/uploads/1/3/0/7/130740627/1854217.pdf
    • http://sealtails.com/uploads/1/3/0/3/130379222/2633013.pdf
    • http://symmetria.cl/uploads/1/3/0/6/130620295/sarujijakowu_lolegos_sebuw_lulorugowodu.pdf
    • http://opowl.com/uploads/1/3/0/6/130621552/tiluweb-xabolenekulebu-rifutazoburoj-riputofifane.pdf
    • http://dreadlocktarot.com/uploads/1/3/0/2/130271030/bajugex.pdf
    • http://17p5q5.salon225.com/uploads/1/3/0/5/130551144/130551144.html#list+of+words+with+denotative+and+connotative+meanings
    • http://creativeadsolu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f26.bin
ba20be4f576a3840a0a8b71c0c8a1b9f00af424e4ee09e40c013ec1cf6cee0f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F26 7648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.