Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec15f7df9f3bfbcf…

MALICIOUS

PDF

45.9 KB Authoring application: pstoedit
MD5: 962b4e45d460c5c08cc457d90e8a1c6e SHA-1: 11b4932b9e9b477bd26e48c00fb6c89967a755f5 SHA-256: ec15f7df9f3bfbcfc0ef666978867f005b601963213e162d6ad269ce3e0c1fe9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to other PDF files, a technique commonly used in SEO poisoning and phishing campaigns. The document body, though partially corrupted, suggests a lure related to a lost driver's license, aiming to trick users into downloading further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malicious download intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://restorehouse.org/uploads/1/3/0/4/130476135/rudozimaris-lezoxexu.pdf
    • http://coplandia.com/uploads/1/3/0/5/130543402/jutaven.pdf
    • http://ldceny.net/uploads/1/3/0/4/130491356/riguredonexu.pdf
    • http://nomidellepiante.weebly.com/uploads/1/3/0/6/130620609/f6a802485.pdf
    • http://sngprinting.com/uploads/1/3/0/5/130546543/nivuvekiwuwamutigowo.pdf
    • http://mypopularfood.com/uploads/1/3/0/2/130273617/56f0605c.pdf
    • http://sotuv.paypal-support.bz/uploads/2020/01/28/fetelabogokoxejomivo.pdf
    • http://kristindraucker.com/uploads/1/3/0/4/130483819/mepexiniluzejof.pdf
    • http://dave.one-drive.ru/uploads/2020/01/29/lizag_wapatusudipotim_bivukup_wezizuti.pdf
    • http://openmedaccess.net/uploads/1/3/0/5/130540219/fegisepokatevalotuv.pdf
    • http://analogi.us/uploads/1/3/0/3/130323767/1a951117b6086.pdf
    • http://agm58.icu/uploads/2020/01/28/nujibi.pdf
    • https://zilukepezos.weebly.com/uploads/1/3/0/5/130588214/6949645.pdf
    • http://nabuwumij.zaceni-prikol.com/uploads/2020/01/28/zogexesef-gitugigofis.pdf
    • http://diju.nolep-checker.net/uploads/2020/01/28/52daa3a8.pdf
    • http://wattersmark.com/uploads/1/3/0/6/130621582/8087c49793.pdf
    • http://beingself-centered.com/uploads/1/3/0/2/130273776/130273776.html#report+lost+driver+license+texas

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001440.bin
d2fa932ebe079c298a9a5bbc9faf0a7976d628eaff1fd8806664fd97e4844bab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1440 7880 bytes
font_01_sfnt_off00006bba.bin
d12e1945699adc080c3e2f49a2c45ee9a70cbb178c18d882f92367fcd923f800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BBA 16396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.