Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd2017bca7475069…

MALICIOUS

PDF

42.1 KB Authoring application: Inkscape
MD5: 6f26b42b47ba3f5b3a2d510b6649bcdc SHA-1: c78e2e89feeb59cdd302b0d5f46927f17d216e4e SHA-256: fd2017bca74750693a3232da15904f200be6e9f333c69fc08f6c6e279ff7ff17
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of SEO spam or a phishing campaign designed to drive traffic to malicious content. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://odessahomeinspection.com/uploads/1/3/0/6/130639962/710100.pdf
    • http://desatascosviladecans.com/uploads/1/3/0/7/130739493/754932.pdf
    • http://drrodchiropractic.com/uploads/1/3/0/3/130323616/jatalutixevabad-jefemegenir-buxafolenevu.pdf
    • http://vigrinhotels.com/uploads/1/3/0/6/130604896/pelosezafaluwoteg.pdf
    • http://esseventshub.com/uploads/1/3/0/6/130603945/8332921.pdf
    • http://isjw.com/uploads/1/3/0/2/130271099/bezujenoko-pesikirixipuriz-givukugujolawew-ruriwinetonet.pdf
    • http://nikkileon.de/uploads/1/3/0/4/130489898/segoku-jorenepomolixu-lezud-dorodi.pdf
    • http://tjfigueroagolf.com/uploads/1/3/0/5/130538945/mezekapexaguge.pdf
    • http://verosoup.com/uploads/1/3/0/2/130270804/bipaw-vekutuve-povut.pdf
    • http://projectgrowca.com/uploads/1/3/0/6/130604165/5872604.pdf
    • http://www.sarahs-flowers.com/uploads/1/3/0/6/130605493/a0fb721ec4f1a.pdf
    • http://anchoredhomedesigns.com/uploads/1/3/0/5/130539888/dagafetejobudagegotu.pdf
    • http://desiretoexplore.com/uploads/1/3/0/9/130969904/05c22855cdde6.pdf
    • http://movingmindsdance.com/uploads/1/3/0/6/130604799/bbb484b912281.pdf
    • http://puzzlesforprogress.com/uploads/1/3/0/5/130550731/6282840.pdf
    • http://mysouthshorecharteracademy.com/uploads/1/3/0/4/130488833/9292145.pdf
    • http://ponyexpressgamez.net/uploads/1/3/0/5/130538956/8342451.pdf
    • http://cwrwwtp.com/uploads/1/3/0/6/130620542/tozodovozi.pdf
    • http://coltsound.com/uploads/1/3/0/4/130478067/gusivos_lufobupawovipo.pdf
    • http://funmovienight.com/uploads/1/3/0/4/130483512/puvosij_nadoworelu_foziwazon_xujixeze.pdf
    • http://jinduyulechengzhenrenbocai.br3h.com/uploads/1/3/0/6/130620929/130620929.html#agile+safe+certification+bangalore
    • http://coltsound.com/uploads/1/3/0/4/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004264.bin
ee13d5405ea92643f9f43a84bd86b6ddd672fa72b1d81d4b8f382d547c0d10fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4264 8808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.