Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc07c5bd59fc28bf…

MALICIOUS

PDF

39.0 KB Authoring application: Nitro PDF
MD5: ffdb77ecfee81bb113954a3fe2a09b36 SHA-1: bbd8f57170dfbc756d7a72d59e6db9c6c4fc446a SHA-256: fc07c5bd59fc28bfd97150c5b78ae98655ccd34691469d76173a691ab50ad51c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This pattern is indicative of a link farm used for SEO-based phishing or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and traffic redirection nature of this file.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://askwiseguys.com/uploads/1/3/0/4/130479350/14df21bd0c530.pdf
    • http://elliecooper.com/uploads/1/3/0/5/130551059/kokubixaroni_besumedapol_nifuwoxivu.pdf
    • http://himalayanteaco.com/uploads/1/3/0/4/130436519/5274b14af15a60.pdf
    • http://robinvh.com/uploads/1/3/0/6/130605143/5234896.pdf
    • http://battlebuilding.com/uploads/1/3/0/2/130291694/8629153.pdf
    • http://bestoculusgames.com/uploads/1/3/0/2/130287890/849dc150a00.pdf
    • http://callanjames.co.nz/uploads/1/3/0/5/130590047/rububit.pdf
    • http://mlmmarketinglab.com/uploads/1/3/0/2/130288729/3661415.pdf
    • http://lucassincasa.com/uploads/1/3/0/5/130545189/kenorafitifufi.pdf
    • http://ewth.net/uploads/1/3/0/5/130539768/51d986717eb5659.pdf
    • http://msmaco.com/uploads/1/3/0/7/130740627/notopategajex_kalozoriz_koxumuturo.pdf
    • http://decormoreno.com/uploads/1/3/0/5/130551607/3179068.pdf
    • http://stickittolennon.com/uploads/1/3/0/7/130776526/zonejuj-gekopu-guxikut-rakabasuni.pdf
    • http://theenchantedoakmi.com/uploads/1/3/0/7/130775456/1001132.pdf
    • http://cheeworks.com/uploads/1/3/0/2/130291478/raxifepifun.pdf
    • http://somestickers.com/uploads/1/3/0/7/130740251/tezupulejejepuvi.pdf
    • http://mazuz.net/uploads/1/3/0/3/130313433/4e28481ff03b.pdf
    • http://missbehave.website/uploads/1/3/0/6/130620971/34b6c0edb24a.pdf
    • http://catapultconsultants.com/uploads/1/3/0/7/130739495/1732406.pdf
    • http://merrymanchiropractic.com/uploads/1/3/0/7/130739732/kosiwew_monugajimutanez_sokip.pdf
    • http://fastmoneymovie.com/uploads/1/3/0/3/130313314/f6a4840002.pdf
    • http://kristibowdenphotography.com/uploads/1/3/0/5/130551014/difokoxone_xelozumet_fuxalof_zakam.pdf
    • http://sidtandkendrasaunders.com/uploads/1/3/0/2/130271184/tepuruxiru-pujididuvu.pdf
    • http://ogino-mpe-lab.dana-farber.org/uploads/1/3/0/5/130589316/130589316.html#ast%2Falt+ratio+interpretation

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000206f.bin
6c16bd8f726a971f3bf19e0f4a791d00a23f3c5d32d39851918e162a73ba8d1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x206F 16164 bytes
font_01_sfnt_off000037ef.bin
d661fcfb353ecc5f85dae8d3c967a55004edb86eac7ce744d56b30b20800be68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37EF 7104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.