Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebac3421f8bd009d…

MALICIOUS

PDF

39.0 KB Authoring application: Solid Converter PDF
MD5: 5ea879cd76e9c7befa89f3a3989e1f48 SHA-1: 53fd771695ac25606c3fe1f2769396995fb3aad1 SHA-256: ebac3421f8bd009d42a97ffd1f0ec2fc6e3c5dad5890ef875ff9e85bff2c4d3c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body itself contains garbled text and a few of the same URLs, reinforcing the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://munding-medientraining.com/uploads/1/3/0/6/130639275/d5fc3.pdf
    • http://shannanstanciuforschoolboard.com/uploads/1/3/0/4/130436180/1569852.pdf
    • http://productionriggingdepartment.com/uploads/1/3/0/6/130620788/f55a8f9a67.pdf
    • http://arowedesignsshop.com/uploads/1/3/0/4/130483680/risetu.pdf
    • http://bip.jahtennaja-shkola.ru/uploads/2020/01/28/leparigogisup.pdf
    • http://aysenurguler.com/uploads/1/3/0/6/130639076/3984795.pdf
    • http://rikatsutsui.com/uploads/1/3/0/5/130551063/wexupizijifibil.pdf
    • http://turningheadsdesign.com/uploads/1/3/0/6/130621897/3d6bfb74.pdf
    • http://tastydairy.club/uploads/1/3/0/6/130604048/suwade.pdf
    • http://nlpcoursesmelbourne.com/uploads/1/3/0/5/130589322/1320599.pdf
    • http://mylifebuilder.org/uploads/1/3/0/6/130620764/8062135.pdf
    • http://beyondhillco.com/uploads/1/3/0/6/130639436/130639436.html#traitors+requiem+violin+sheet+music

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ad.bin
8f07bb5051e57809a867afffa270a5a16a018a98953c7de66960af322192d96b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AD 8116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.