Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbb7edebee466fcc…

MALICIOUS

PDF

69.3 KB Authoring application: Mobipocket Creator
MD5: 80605efff7cc4c137afee2067aa0b1d1 SHA-1: ad6c011c5cb18587233708362ec8eecb7e0a2b4b SHA-256: fbb7edebee466fcc1a75853e4ac0377131a3f78dd417450ac2be6a5d3360f9de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The document body, though heavily corrupted, contains references to music downloads and includes URLs that are likely part of a link farm designed to redirect users to malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://guri.findlove.fun/uploads/2020/01/27/3999984.pdf
    • http://ale-sajgon.com/uploads/2020/01/27/merotuvoxogovomelel.pdf
    • http://xekaxapud.avon-lider.com/uploads/2020/01/27/rajetufudov.pdf
    • http://botu.business-laboratory.ru/uploads/2020/01/29/dcb6bb76a51c8.pdf
    • http://getmarketing.club/uploads/2020/01/27/xebijemuvidudaw-timedodaj-basej.pdf
    • https://kuzibilopibav.weebly.com/uploads/1/3/0/2/130272505/3abd114b68.pdf
    • https://nowogumu.weebly.com/uploads/1/3/0/4/130483350/donokowi.pdf
    • http://betsybower.com/uploads/1/3/0/5/130589145/23af1eed62af5.pdf
    • https://kibudajonimi.weebly.com/uploads/1/3/0/5/130551177/0aaa6735de1.pdf
    • http://infrawerxtech.net/uploads/1/3/0/5/130588906/3156001.pdf
    • http://kirurofexu.firstcommonsense.com/uploads/2020/01/28/d7f52d3fad0.pdf
    • https://kiwoxugaxis.weebly.com/uploads/1/3/0/2/130272979/vesosazib-ritawuwur-duxesadewa-dakerujeju.pdf
    • http://ethereumbanking.net/uploads/2020/01/28/c2edc24ec.pdf
    • http://das.proastrologiu.ru/uploads/2020/01/28/2736815.pdf
    • http://lewari.ted4mail.com/uploads/2020/01/27/1948521.pdf
    • http://ludewevoza.instaprizer.pw/uploads/2020/01/29/1766013.pdf
    • http://kezit.fatedifiore.ru/uploads/2020/01/28/liluriwowozanesive.pdf
    • http://sok.om-dao.ru/uploads/2020/01/27/5970538.pdf
    • http://lego-kubik.ru:80/uploads/2020/01/28/kikosura.pdf
    • http://emeryplumbing.com/uploads/1/3/0/6/130621349/pabuvudedonisozenab.pdf
    • http://frostsurveyors.com/uploads/1/3/0/4/130435820/9603701.pdf
    • https://fadarotujoxap.weebly.com/uploads/1/3/0/2/130289658/400059.pdf
    • https://solutobezizid.weebly.com/uploads/1/3/0/5/130546759/sowubobuxuwat.pdf
    • http://nep.stoneprocessingtool.ru/uploads/2020/01/28/8587dae59b3e957.pdf
    • http://djsacademy.com/uploads/1/3/0/5/130590257/130590257.html#descargar+musica+grupera

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017b6.bin
391bc57806e48662b0f29c94b01f881098d4d80d809ef4c9408633cd6e7c6bde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17B6 10304 bytes
font_01_sfnt_off00008abb.bin
8f3c6ac098290535930a62471c59cc01db724254982e8b22b5293056f919eaaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ABB 20800 bytes
font_02_sfnt_off0000a9d1.bin
bf9b9d10e9d9890ab9d1a7ec18efb3f3b6daf3583292778e90f0943f39e87841		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9D1 2600 bytes
font_03_sfnt_off0000b250.bin
5533337b5b2daa661eb7dda8dc03ca01464a919cce5b556fc70fd8d8bf14958b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB250 4312 bytes
font_04_sfnt_off0000c26c.bin
11e4464386684e4756459c14cce5d346c591affbdfc2114d3b758fc55fd2c9bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC26C 17992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.