Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc96c32d22a6b880…

MALICIOUS

PDF

36.2 KB Authoring application: Inkscape
MD5: 85ad5b77e3d7a47c5f1bfe00cc766514 SHA-1: c871d1ba65e46c5ad9e9ca2fb8e247a5c7bb4387 SHA-256: fc96c32d22a6b880be3c809fe8ea16d196276c5c75686671f2b38bb81e6a2ddb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files, indicating a link farm for SEO poisoning. The document body text, though heavily obfuscated, contains references to 'Adobe convert pdf to word online' and includes multiple URLs that redirect to PDF files. This suggests a phishing or redirection campaign, likely aiming to distribute further malicious content or lead users to fraudulent sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://countrychunkiecandle.com/uploads/1/3/0/5/130540176/4d313.pdf
    • http://sparksrvpark.com/uploads/1/3/0/6/130620800/wigogugo.pdf
    • http://novamotorshaiti.com/uploads/1/3/0/7/130776114/784e47716.pdf
    • http://robemi.datingnearme.in/uploads/2020/01/28/tebapanipunud.pdf
    • http://sydneyft.com/uploads/1/3/0/5/130551684/livanajo.pdf
    • http://kineffect.com/uploads/1/3/0/3/130313433/ba27415c.pdf
    • http://drfilldental.com.au/uploads/1/3/0/6/130620797/mevanidabuvuwogejiwu.pdf
    • http://onlygodcanjudgeus.com/uploads/1/3/0/3/130323255/gaferafebizo.pdf
    • http://bejustalittlebetter.com/uploads/1/3/0/6/130620366/130620366.html#adobe+convert+pdf+to+word+online

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c3.bin
0978dd36702b3cd19ba9315d2c57efcc400d7beaeb94c151fb339af9441cd88b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C3 7600 bytes
font_01_sfnt_off000045ff.bin
669a22844ddb84b64a1d93eb6147c2b8b7ca76f4316fe4be2bbf69c96252e72a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45FF 16180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.