Malicious PDF — malware analysis report

Static analysis result for SHA-256 f89268cdb27c13d4…

MALICIOUS

PDF

34.0 KB Authoring application: Smallpdf Desktop
MD5: 50030955b089bfff5685130137916a64 SHA-1: c5415e51a3357b994158f2f0e623b5c977416074 SHA-256: f89268cdb27c13d4600e0744fbb95ff26f3d561eaf79343f2b4bfb2397b9b4df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This is a common technique for distributing phishing content or redirecting users to malicious websites. The ClamAV detection further supports its malicious nature. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://febujiwob.ecpn.su/uploads/2020/01/28/4368079.pdf
    • http://arcsurgery.org/uploads/1/3/0/6/130621282/33895e6fc141800.pdf
    • https://pudapibakef.weebly.com/uploads/1/3/0/2/130272629/detitov.pdf
    • http://cantortradegroup.com/uploads/1/3/0/2/130271054/6195443.pdf
    • http://myriuwedding.com/uploads/1/3/0/2/130270932/f15d1c26dd7.pdf
    • http://apbgprojects.com/uploads/1/3/0/5/130550732/vibovo_nisabotol_sutifapiperamu.pdf
    • http://allstarscomedyentertainment.com/uploads/1/3/0/6/130603709/32a586630bf7d7f.pdf
    • http://motivatedqueen.com/uploads/1/3/0/6/130604620/kazajijufina.pdf
    • http://jinamerixa.labdo.net/uploads/2020/01/27/kexowa.pdf
    • http://knb-games.pw/uploads/2020/01/28/8185478.pdf
    • http://allstatepavingandmasonry.com/uploads/1/3/0/6/130620213/fenewebatos.pdf
    • https://nadigovi.weebly.com/uploads/1/3/0/5/130588468/3253019.pdf
    • http://gizez.lechenienarkomanii-kostroma.ru/uploads/2020/01/27/suloj-zupibukidubu.pdf
    • http://miloandmonroeboutique.com/uploads/1/3/0/2/130272610/5884233.pdf
    • http://xavid.systav.xyz/uploads/2020/01/27/wuwufus.pdf
    • http://qrbikeblog.weebly.com/uploads/1/3/0/5/130546294/3655109.pdf
    • http://sag.mnekak.pro/uploads/2020/01/27/0872fbf83.pdf
    • http://vesepe.litecoin-red.com/uploads/2020/01/28/fagemi.pdf
    • http://mothersmilkisbest.com/uploads/1/3/0/4/130435844/sikubumezik.pdf
    • http://misssupremepurityqueen.com/uploads/1/3/0/5/130539107/130539107.html#motu+patlu+ke+cartoon++ho+jaye

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001546.bin
f28f6eb308d0626b02b020b42efc1a2b54a65a32f96ca659e8869aea804bc21a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1546 7912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.