Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1a41f19a087b49e…

MALICIOUS

PDF

38.2 KB Authoring application: Poppler-utils
MD5: 49858fd7ae1a9737774b42eb300cc95f SHA-1: c8ab1390fb9d7c2b9a69a8b7a1c7f3d64425318e SHA-256: f1a41f19a087b49eb7640f68e151ab70cb37293ccc87550dab5370c42b869a25
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The embedded URLs are likely used to redirect users to phishing or malware distribution sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moonlightgraphics65.com/uploads/1/3/0/6/130621554/popixilugu.pdf
    • http://artfullyinspiredcoaching.com/uploads/1/3/0/4/130490221/niworoxofo.pdf
    • http://defiddesign.com.au/uploads/1/3/0/4/130476984/kekigugal.pdf
    • http://corningfishandgame.org/uploads/1/3/0/6/130621905/e36208804e18d2d.pdf
    • http://adamsoilcompany.net/uploads/1/3/0/7/130776228/gamevewibotezoga.pdf
    • http://thymomahope.com/uploads/1/3/0/6/130620687/8622347.pdf
    • http://woodlandstuition.com/uploads/1/3/0/5/130550833/130550833.html#against+the+sun+hd+movie+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001122.bin
3aad6107f0d99c51afba2daa76b0757e9839250967c2bb0903c8d06a58faab01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1122 8200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.