Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc52065a455a61d5…

MALICIOUS

PDF

35.0 KB Authoring application: Nitro PDF
MD5: 5ef48b6bc991b9a0ddfc0c3aabf25bb1 SHA-1: 3fceafcdf23a95db7e86b01eaa0dc5f1f56e1f5c SHA-256: fc52065a455a61d5c6b696454d454c4ddb5cf9a2fa74e1b7f10f029fcd587051
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass external link farm, with 22 links pointing to other PDF files hosted on various domains. The document body presents a fake resignation letter to lure users into clicking these links. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further indicates a phishing or malicious traffic redirection intent. The primary IOC is the first URL in the link farm, http://solidinvestmentgroupbvba.com/uploads/1/3/0/5/130540284/702346.pdf.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solidinvestmentgroupbvba.com/uploads/1/3/0/5/130540284/702346.pdf
    • http://rudeburns.com/uploads/1/3/0/8/130813146/torevatagumoxagodal.pdf
    • http://escaperacedurham.com/uploads/1/3/0/4/130483279/vegotomesesu.pdf
    • http://iqfee.com/uploads/1/3/0/6/130605034/wepezojemudawi.pdf
    • http://foosballguys.com/uploads/1/3/0/7/130776065/620495.pdf
    • http://mosholudaycamp.com/uploads/1/3/0/2/130289295/2556618.pdf
    • http://scottbrownconsults.com/uploads/1/3/0/4/130488934/689ebf11.pdf
    • http://webmail.dokimellc.com/uploads/1/3/0/7/130775683/a194ab.pdf
    • http://juneaudining.com/uploads/1/3/0/6/130640020/99156b1c57a.pdf
    • http://shhugarshop.com/uploads/1/3/0/8/130813399/9229747.pdf
    • http://adnocfuels.com/uploads/1/3/0/5/130589218/zibufugajixik.pdf
    • http://cpanel.purposedrivenrevolution.com/uploads/1/3/0/5/130544321/130544321.html#resignation+letter+with+immediate+effect+due+to+medical+reasons

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000339c.bin
c02181381c42a786dff634a8b859cfc911a63b3b79b1a48281ee1619e3c0284d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x339C 7360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.