Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2859ee6dbb1ec28…

MALICIOUS

PDF

36.4 KB Authoring application: GIMP
MD5: 870c3399374cc9e77c834e0de7fdf614 SHA-1: 34bee15fe20fd56986d1a25f3ff549086138c65c SHA-256: f2859ee6dbb1ec28245e7e915149b781ebe10b153dcc9e5e6b9ef714d6ebcd7e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic. These links predominantly point to external PDF files hosted on various domains, suggesting a link farm or redirection mechanism. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The document body, though containing some corrupted text, mentions 'Minority scholarship form 2018-19', which could be a lure to encourage users to interact with the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://a-arik.com/uploads/1/3/0/7/130739330/ee29cc4c27202e3.pdf
    • http://sickbeetsmerch.com/uploads/1/3/0/8/130873880/3d7aefef8e43f4.pdf
    • http://qutisatelier.com/uploads/1/3/0/6/130604028/fc592d7051.pdf
    • http://juantaborda.com/uploads/1/3/0/5/130551008/koxiziderub-ligekurazur.pdf
    • http://tabletdevelopers.org/uploads/1/3/0/6/130639744/7ead3cd.pdf
    • http://witches.church/uploads/1/3/0/3/130379377/jinali.pdf
    • http://callardco.com/uploads/1/3/0/4/130435646/570be0189c.pdf
    • http://pulsewx.com/uploads/1/3/0/6/130640236/4153875.pdf
    • http://women-with-wings.org/uploads/1/3/0/6/130604838/ac25ebc9eb90.pdf
    • http://instrumentaldulcimermusic.com/uploads/1/3/0/6/130604256/5077348.pdf
    • http://chimegi.com/uploads/1/3/0/4/130435646/a76dea.pdf
    • http://vintagewoodworkingtools.net/uploads/1/3/0/3/130313117/wibepagapik-zabumav-ritonubo.pdf
    • http://www.theblogfather.co.nz/uploads/1/3/0/4/130483265/32eac8b16e.pdf
    • http://lungsrehab.org/uploads/1/3/0/2/130272350/1d6e6cfd.pdf
    • http://adsl-63-204-18-25.benefitplans.org/uploads/1/3/0/6/130603860/130603860.html#minority+scholarship+form+2018-19

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003352.bin
85cd2a0216d68c53381fe433c8505d93ee3959b6b7c86d50800c8593d7fa7815		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3352 8312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.