Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb6c1cf8e4b64ba1…

MALICIOUS

PDF

42.1 KB Authoring application: Soda PDF
MD5: 6fbfedf50419bf265a1cae649786fb81 SHA-1: 3a90ab586129fa2d0827419d4a057cb7e5be300b SHA-256: eb6c1cf8e4b64ba195d6cc352dfad5683462fe1cfd3b75b7098a3577a3987567
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits characteristics of a phishing lure, as indicated by the 'PDF_SEO_LINK_FARM' heuristic and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body contains numerous embedded URLs, suggesting an attempt to redirect the user to malicious sites. The primary attack pattern involves leveraging these links for phishing or malware delivery.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2017chessietrailfallhalfmarathon5k.com/uploads/1/3/0/6/130604487/rapotavexon.pdf
    • http://morganlwebster.com/uploads/1/3/0/6/130639317/vavuv.pdf
    • http://plumluvfoods.com/uploads/1/3/0/5/130588315/zabinuvarigi_kesaxawipijap_nedesufudupejuj.pdf
    • http://tonces.net/uploads/1/3/0/5/130543256/jaxibizasu-gaxanevul-nomugajujiweju.pdf
    • http://myrolemodel.info/uploads/1/3/0/6/130640220/rewiboguvavel.pdf
    • http://100wwclickingcounty.org/uploads/1/3/0/4/130494478/nutibemiwefu-runuli-nuravabubo.pdf
    • http://mikescottthomson.com/uploads/1/3/0/6/130639768/4ceb2f89.pdf
    • http://7tonn.online/uploads/2020/01/28/wadaxomi.pdf
    • http://metiscollege.ca/uploads/1/3/0/3/130323219/d79e4cdd.pdf
    • http://sirinavideo.com/uploads/1/3/0/6/130604090/29407d6b8.pdf
    • http://miraclevalleyceylon.com/uploads/1/3/0/6/130621285/jubitig-majejej.pdf
    • http://voteforuniversity.online/uploads/2020/01/28/c914b8.pdf
    • http://nancytoofani.com/uploads/1/3/0/5/130546024/130546024.html#cordones+de+billroth

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000153b.bin
2247e4fd63def7f222d839e1f248ba0ceda9c4ad5cefdc955b096d975c5aa4a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153B 9096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.