Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4d5b979d48ae4e2…

MALICIOUS

PDF

36.6 KB Authoring application: Scribus
MD5: 672d5f307784cf780c388640619031d0 SHA-1: 1e28156a42576089a6a1c7b2341f743191c2b2a4 SHA-256: f4d5b979d48ae4e2b41965092b4be64252e1fb062e80459364862c482219391d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, a common tactic for SEO poisoning and phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body, though partially corrupted, mentions stomach cramps during pregnancy, likely a lure to entice users to click the embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://obsidianmarkets.com/uploads/1/3/0/3/130313221/d38b8be77.pdf
    • http://msiclick.com/uploads/1/3/0/7/130739401/towofozetinake_nofogulixupix_fonetifigebafut.pdf
    • http://kchcapital.com/uploads/1/3/0/2/130270753/1061335.pdf
    • http://inthesackdelivers.com/uploads/1/3/0/5/130550936/fipanabenixow.pdf
    • http://mitsubishisplitac.com/uploads/1/3/0/6/130604307/4740361.pdf
    • http://mysportsmemory.com/uploads/1/3/0/6/130621143/8302148.pdf
    • http://capellandecampo.com/uploads/1/3/0/6/130620510/viwop.pdf
    • http://indieallied.com/uploads/1/3/0/4/130490155/xedel_wemoxit_radujev_wokikir.pdf
    • http://disarmingdoomsday.com/uploads/1/3/0/4/130435688/1716046.pdf
    • http://midwesternchristianacademy.org/uploads/1/3/0/5/130589279/rorelagoko_laxupat.pdf
    • http://musicoterapias.com/uploads/1/3/0/2/130287914/1520418.pdf
    • http://steppingstonesccod.org/uploads/1/3/0/6/130639822/nefufuzetuvol.pdf
    • http://bernicvintage.com/uploads/1/3/0/6/130604173/5848862.pdf
    • http://cakepopsbymaggie.com/uploads/1/3/0/4/130483512/3989238.pdf
    • http://crescentheightsmidatlantic.com/uploads/1/3/0/4/130435721/e7a69398362ef1.pdf
    • http://esyllabusforafrica.org/uploads/1/3/0/6/130620619/gupoxejux.pdf
    • http://miomondo.com.au/uploads/1/3/0/2/130287937/zoluve.pdf
    • http://oakclass.com/uploads/1/3/0/7/130740124/130740124.html#severe+stomach+cramps+during+early+pregnancy

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000340f.bin
2e2fca55a7cf2cb2573252420350d9555a151cc276c2113b14694c4bb2778d69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x340F 7336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.