Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa4e48e1d71b0f71…

MALICIOUS

PDF

34.8 KB Authoring application: Serif PagePlus
MD5: 472d53e2fe41308747bf59fa3f81a80e SHA-1: 58be1788ef6d4a41a3818a6d2202e113aacfb5d5 SHA-256: fa4e48e1d71b0f717abc28c058ccb2f54d8b347d9adcf9b9577f00507c2b8004
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating a link farm of external PDF files, with the primary URL being http://kusogoz.hlfxdata.online/uploads/2020/01/28/968ce.pdf. This suggests the document's purpose is to redirect users to a network of malicious or spam-related sites. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or traffic-driving intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kusogoz.hlfxdata.online/uploads/2020/01/28/968ce.pdf
    • http://brettwestfall.com/uploads/1/3/0/2/130270912/6394247adaa8.pdf
    • http://kez.best-pokupka5.ru/uploads/2020/01/28/2679707.pdf
    • http://madeinvenice.net/uploads/1/3/0/7/130739648/a0cebe4b230a4.pdf
    • https://zagotugow.weebly.com/uploads/1/3/0/5/130550731/sejosafuxad_labuxif.pdf
    • http://construction-staffing.com/uploads/1/3/0/6/130640183/durepimedaxurif.pdf
    • http://nr4u.weebly.com/uploads/1/3/0/6/130621746/30de1def80bd8f.pdf
    • http://untroubledminds.com/uploads/1/3/0/5/130588802/xituwapebap.pdf
    • http://afforablehomesociety.com/uploads/1/3/0/2/130270866/130270866.html#borderlands+2+won%27t+get+fooled+again+killer

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001215.bin
2c7e2798ff9066c0001cdccc3b4ebec5ea15807a4cd9e36301941b52d6da1a2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1215 8808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.