Malicious PDF — malware analysis report

Static analysis result for SHA-256 f23c98933dbdaca1…

MALICIOUS

PDF

35.7 KB Authoring application: SWFTools
MD5: 4f883acb9cecf5c2abf9f1f846bdd8a7 SHA-1: 6d9237bf358fda6bcf2222521e2a75d8025ca115 SHA-256: f23c98933dbdaca181768c08ba25a9fb514b0d1a499ceaff03869dccab38a2bd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique commonly used in SEO poisoning and phishing campaigns to direct users to malicious sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this assessment. The document body itself appears to be corrupted or truncated, but the presence of numerous links to PDF files on various domains indicates a coordinated effort to distribute content or redirect users.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stakemywallets.com/uploads/1/3/0/6/130639710/mesababokotubopujon.pdf
    • http://peterstownshipgolf.org/uploads/1/3/0/3/130323817/matukotegezisozad.pdf
    • http://ledgrowlightsformarijuana.org/uploads/1/3/0/6/130639994/surexa.pdf
    • http://ichunes.com/uploads/1/3/0/6/130620560/liginatuxavunisujupo.pdf
    • http://alleghenyknifeworks.com/uploads/1/3/0/6/130621840/2935237.pdf
    • http://oiseauchic.com/uploads/1/3/0/6/130621047/552013.pdf
    • http://britanynavarretephotography.com/uploads/1/3/0/6/130640163/a2f7eb2677.pdf
    • http://belliesandbundle.com/uploads/1/3/0/3/130313323/e625c6e4757c9a4.pdf
    • http://ahimsaartworkscom.com/uploads/1/3/0/3/130313363/xebule.pdf
    • http://citystudent.se/uploads/1/3/0/8/130873987/2820205.pdf
    • http://mjstead.com/uploads/1/3/0/7/130739937/famusotubuwukekik.pdf
    • http://christiandevlin.com/uploads/1/3/0/6/130621124/ec718c015.pdf
    • http://ahjf4ew.brdge.org/uploads/1/3/0/3/130313057/130313057.html#comment+programmer+un+afficheur+lcd+avec+arduino

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001b06.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B06 16036 bytes
font_01_sfnt_off0000326d.bin
b44a94cd88f47b759ea38903fbebe8894388b75f4df95ad312a54c5019893e42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x326D 8680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.