Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebeba4bbc7c8e70e…

MALICIOUS

PDF

54.1 KB Authoring application: pstoedit
MD5: 614d743ef75a66c50c0f0466fc811c46 SHA-1: 964b54baae8cad6c0302f1c701df0029fb6dbb01 SHA-256: ebeba4bbc7c8e70ed23c260c9d8bac1ffa5ef6681918abe278b717f4b7935c04
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The document body itself is largely corrupted but contains some of the same URLs found in the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bisozab.fohow64.ru/uploads/2020/01/28/470cd396a355f.pdf
    • http://maternity-depot.net/uploads/1/3/0/5/130551464/xesopoge.pdf
    • http://sydney-boone.com/uploads/1/3/0/3/130379204/sesipodosalon_toseleki_garisudakesolet_kitatobob.pdf
    • http://batil.rossip.ru/uploads/2020/01/27/2166606.pdf
    • http://arenda-opalubki.pro/uploads/2020/01/29/2871900.pdf
    • http://mcginnecommconsulting.com/uploads/1/3/0/5/130539229/baminekowule.pdf
    • https://gazovabujo.weebly.com/uploads/1/3/0/4/130494801/pamis.pdf
    • http://fitchvilleumc.org/uploads/1/3/0/5/130588437/5972353.pdf
    • https://regugizimumala.weebly.com/uploads/1/3/0/5/130551191/1770748.pdf
    • http://pakekeza.girlsonvideo.store/uploads/2020/01/28/zomugiteluxusez.pdf
    • http://sweetnlowdachs.com/uploads/1/3/0/6/130621363/mezajidum-pinodagewugox-wanosamuza-midusejesefak.pdf
    • http://kuvujotup.arteltiles.com/uploads/2020/01/28/1ca70e25b8c.pdf
    • http://zotu.hopifai.info/uploads/2020/01/27/a740603b97dfad2.pdf
    • http://sasogawuso.ars-shipping.com/uploads/2020/01/27/sorunonaguto.pdf
    • http://womuwi.achdziewczyny.site/uploads/2020/01/28/xowev_bilisuvadet_bipefe.pdf
    • https://fisikogulu.weebly.com/uploads/1/3/0/5/130540116/wasetutikenavebabugo.pdf
    • http://buxufe.uzv-rf.ru/uploads/2020/01/27/bekazabidenifefobik.pdf
    • http://804windows.com/uploads/1/3/0/2/130289428/1946491.pdf
    • http://jovi.promokot.info/uploads/2020/01/28/6228368.pdf
    • http://kob.xeuns.ru/uploads/2020/01/27/3414390.pdf
    • https://vudotajadupu.weebly.com/uploads/1/3/0/3/130313090/9354455.pdf
    • https://sejekutigaba.weebly.com/uploads/1/3/0/5/130589230/2614566.pdf
    • http://tekad.vv6vv.top/uploads/2020/01/28/tedawejoduvitilob.pdf
    • http://reduf.nauticflclub.org/uploads/2020/01/28/tirasu-wawofiwot.pdf
    • http://northridgelevy.org/uploads/1/3/0/5/130588749/jagusexarenuxo-siwuxuzovu-jigopefopuwozep.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/3/130379271/130379271.html#ga+600+instructions+2017

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001009.bin
e9c0219b67e0fa4c504658bc9871e07579303fa13f7d2337a0cef495b551b4dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1009 8812 bytes
font_01_sfnt_off00008ca1.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CA1 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.