Malicious PDF — malware analysis report

Static analysis result for SHA-256 f27bfe57bdb78122…

MALICIOUS

PDF

42.2 KB Authoring application: ImageMagick
MD5: 709df372418f23fa7fec3f615dd5b25b SHA-1: 06c4093cfa1885a9e432fb7bd0c85826fcf529f1 SHA-256: f27bfe57bdb7812256391aa5301e51d1914adb97677c57e75bdb99a1572f66e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded links pointing to external PDF files, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body contains irrelevant text and what appears to be corrupted data, suggesting it is not intended for human consumption but rather as a container for the malicious links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nangginkui.com/uploads/1/3/0/2/130271017/gelobedevojitop_mimatuk_valagavusovew_napuw.pdf
    • http://thenanastudios.com/uploads/1/3/0/4/130435680/febumowazuwaz-gusura-vomap-wimam.pdf
    • http://artofamandaheard.com/uploads/1/3/0/5/130551212/eb32a44.pdf
    • http://medicalplasticmolding.net/uploads/1/3/0/4/130490609/marurovakob.pdf
    • http://odinsolutionsintl.net/uploads/1/3/0/5/130589354/95389eb94d97.pdf
    • http://alfonsinario2016.com/uploads/1/3/0/4/130435985/sodigudefud.pdf
    • http://kirawan.org/uploads/1/3/0/7/130776264/dotusawuxafo.pdf
    • http://www.dmytroserramenti.com/uploads/1/3/0/5/130544591/85f10.pdf
    • http://breakfastwear.com/uploads/1/3/0/2/130289430/3551746.pdf
    • http://mmccolorado.online/uploads/1/3/0/5/130590664/jenejurix.pdf
    • http://leli-v.com/uploads/1/3/0/7/130776661/1d254dcfbf.pdf
    • http://lumicharmed.com/uploads/1/3/0/6/130639962/71c6a17e2d.pdf
    • http://ivneglobalservices.org/uploads/1/3/0/4/130435988/vorewa_sawididogagora_jowujepi_gizorig.pdf
    • http://deannamcleod.com/uploads/1/3/0/2/130273894/4390832.pdf
    • http://frosthollowpub.com/uploads/1/3/0/6/130621200/e4f3bd5634fa6c0.pdf
    • http://desatascosterrassa.com/uploads/1/3/0/2/130292125/d64c0e.pdf
    • http://cccvancouver.com/uploads/1/3/0/6/130604181/088dae79.pdf
    • http://intlwomentravelcenter.com/uploads/1/3/0/7/130775627/e1cf6398.pdf
    • http://carowoods.co.uk/uploads/1/3/0/2/130291649/130291649.html#achyutam+keshavam+female+version+mp3+song+download

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001dbf.bin
067f43d70a6d949beb361fac35d9357494d0be90342860a2b8fb7c6a193e65b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DBF 7804 bytes
font_01_sfnt_off0000315b.bin
48dc34574ad466b140e1cd652e666c68fc4f3c002b3b202410ec1bddaf17efe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x315B 16100 bytes
font_02_sfnt_off0000489d.bin
e49d80fa02b877997fcd28ad5b3964f8a714c9b39ef86727119854e8aba8122c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x489D 7360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.