Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb19e90962146a82…

MALICIOUS

PDF

58.4 KB Authoring application: Inkscape
MD5: 64d46a2bf5d4f015cfe5c28989607a15 SHA-1: d223c292e2761a678b3dd73d063bb1a46f1d06d4 SHA-256: fb19e90962146a820ad1167203afb04336df7c1ab0472a3d09ead1050e636145
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for a link farm, containing 31 external PDF links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature. The embedded URLs are likely used to redirect users to phishing sites or download further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oasisbaypv.com/uploads/1/3/0/7/130775411/9851861.pdf
    • http://ndr21.club/uploads/1/3/0/7/130776083/tidolomoto.pdf
    • http://cappyphalen.com/uploads/1/3/0/4/130477083/fb24d5d7f42.pdf
    • http://wouldread.com/uploads/1/3/0/4/130483123/5877887.pdf
    • http://pascorealestateblog.net/uploads/1/3/0/8/130874097/2495933.pdf
    • http://millikenentertainment.net/uploads/1/3/0/2/130292110/torafatubop.pdf
    • http://summit2summitcoaching.com/uploads/1/3/0/5/130543148/6196847f7f9cc.pdf
    • http://liquorlawsvt.net/uploads/1/3/0/6/130639571/9620442.pdf
    • http://pro-manchestereconomicsconference.co.uk/uploads/1/3/0/4/130483134/tuzatore-nunamunusesaro-dekenilegolen-nozibuzunif.pdf
    • http://premieraccountinsurance.com/uploads/1/3/0/4/130476347/4837e3e605.pdf
    • http://wallymarket.com/uploads/1/3/0/6/130620757/a79106171f49020.pdf
    • http://chicklit.info/uploads/1/3/0/2/130274370/2603059.pdf
    • http://santaclaritascreenprinting.com/uploads/1/3/0/5/130551745/rifujoj.pdf
    • http://hellorent.co/uploads/1/3/0/7/130775405/9437e712.pdf
    • http://www.qnb-finansbankcep.com/uploads/1/3/0/7/130776644/zajoxolukolox.pdf
    • http://e7neighbors.org/uploads/1/3/0/2/130272573/pilavosab.pdf
    • http://rootfivefarm.com/uploads/1/3/0/7/130776230/serepasadirif.pdf
    • http://nomadicpeople.org/uploads/1/3/0/6/130604654/6857026.pdf
    • http://drmeghandvm.com/uploads/1/3/0/7/130776300/perafavir.pdf
    • http://bossalaus.com/uploads/1/3/0/7/130775180/5597257.pdf
    • http://demitrydevelopment.com/uploads/1/3/0/2/130289428/wopor_tivoluma.pdf
    • http://jameshotelandapartments.devsite-1.com/uploads/1/3/0/6/130621219/130621219.html#bp%E2%80%99s+deepwater+horizon+oil+spill+%282010%29

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001403.bin
3ee93f34f40d632fa36963cd135aa59b8ad01416e2851ea11fdc12db9290248d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1403 8920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.