Malicious PDF — malware analysis report

Static analysis result for SHA-256 f596314ebb3fb0ad…

MALICIOUS

PDF

33.7 KB Authoring application: Smallpdf Desktop
MD5: 69256c2d70a18c670f510f20e7b4dc08 SHA-1: fa9df7d0f1c7da918f80f8056977833a05174bf2 SHA-256: f596314ebb3fb0ad15507c8c0a70124c47efed7acaf182f5ba5e643148080386
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The embedded URLs are likely used to redirect users to phishing sites or to manipulate search engine results.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vafiwoxeloledos.weebly.com/uploads/1/3/0/2/130291822/5f29d305b651d.pdf
    • http://limese.favorsvet.com/uploads/2020/01/28/3561554.pdf
    • http://marketingtools4less.com/uploads/1/3/0/4/130435717/6869880.pdf
    • http://mysoulsingsstudio.org/uploads/1/3/0/4/130488121/67419.pdf
    • http://audio-start34.icu/uploads/2020/01/29/8738849.pdf
    • http://lilmissrealtor.com/uploads/1/3/0/4/130483650/fovuxuxi-jemaka-nupimurov-kejef.pdf
    • http://fafizuruvi.studymoves.com/uploads/2020/01/28/forusubit.pdf
    • http://panoduj.app3pinfo.online/uploads/2020/01/27/4919060.pdf
    • http://betsybower.com/uploads/1/3/0/2/130289653/9792662.pdf
    • http://putor.dasdwqs.icu/uploads/2020/01/27/5383308.pdf
    • http://brandieckertphotography.com/uploads/1/3/0/5/130550857/vamurizefedakag.pdf
    • http://zodupad.nice-buy22.ru/uploads/2020/01/27/jimizulupopexut-padukenifu-tafarafutoses.pdf
    • http://angelstouchmobileps.com/uploads/1/3/0/6/130605462/9174523.pdf
    • http://kcbevco.com/uploads/1/3/0/5/130588803/130588803.html#give+up+robot+2+blipz

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000132e.bin
750221a06378105ceba27d5214b39235b6c6f232a8ca15432ba0a607d9a15035		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132E 7420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.