Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9fe95bbacba3b7e…

MALICIOUS

PDF

34.8 KB Authoring application: Scribus
MD5: 430290369bab2c3aeb7a0c843b498aff SHA-1: 1015c16728a2dcf94da8aa129ed182e340fb0ccb SHA-256: e9fe95bbacba3b7ebd01f37ff20dab51efa033bed15f745ebe7966333fba5594
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded URLs, indicating a link farm designed to redirect users. The heuristic PDF_SEO_LINK_FARM firing confirms this, identifying 31 generated SEO PDF links. No scripts were extracted from this sample, but the sheer volume of malicious URLs suggests a phishing or redirection campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kitcatcandles.com/uploads/1/3/0/5/130588575/tamipizojumapuwan.pdf
    • http://paduzuvug.ngochastore.com/uploads/2020/01/27/7973039.pdf
    • http://coffee-cap24.info/uploads/2020/01/27/jawowewaz.pdf
    • http://deillusionist.ru/uploads/2020/01/29/fa51a26.pdf
    • http://kwbtu.es/uploads/1/3/0/2/130271081/sodavezigunelixen.pdf
    • http://vepoxuz.kuhni-msc10.icu/uploads/2020/01/28/gubalipalonapaj_ruxopulabofot.pdf
    • https://wesekugu.weebly.com/uploads/1/3/0/5/130540699/9489730.pdf
    • http://tawet.martinsembalagensam.com/uploads/2020/01/27/ead19527c71ca6.pdf
    • http://tapeoutnow.com/uploads/1/3/0/5/130588821/75a2ae8d5bae341.pdf
    • http://nuniruw.xalat24.ru/uploads/2020/01/29/7491805.pdf
    • http://donat-to-katerina.com/uploads/2020/01/29/1718157.pdf
    • http://kinesiologie74.fr/uploads/1/3/0/5/130545189/fafufanira.pdf
    • https://derebowap.weebly.com/uploads/1/3/0/5/130544387/25f307.pdf
    • https://lozasebotizudu.weebly.com/uploads/1/3/0/2/130270941/2232106.pdf
    • http://kukar.onlinekursi.ru/uploads/2020/01/27/5643525.pdf
    • http://sobomo.alkotoxx.ru/uploads/2020/01/28/wobogetewu_lewuziwo_sogozomenunoz.pdf
    • http://tegun.vipiski-besplatno64.icu/uploads/2020/01/29/de17b6b0f2.pdf
    • http://fes.catiacristais.com/uploads/2020/01/27/4329129.pdf
    • http://siaenext.com/uploads/1/3/0/2/130271030/16e35c44f5.pdf
    • http://re-electgregbeck2018.com/uploads/1/3/0/3/130323462/130323462.html#plant+structure+and+function+worksheet+3rd+grade

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000154d.bin
a62af7390f08c13b7a5dda5b3d7ac6afeb48e7d0b2572551d588394e77c2c8a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x154D 7568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.