Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe226a78a24ef64f…

MALICIOUS

PDF

44.3 KB Authoring application: ImageMagick
MD5: 0e1ee319966dfb1026bcd19a1d9e9863 SHA-1: 54000b2969f774f0e1b6d8359d7a27f4a7a87250 SHA-256: fe226a78a24ef64fa07de18228f269ebcf8c19566a3cba491240e747400e0a5d
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified as a link farm. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious download campaign. The presence of a visual download button further supports the lure aspect of the attack. The primary IOC is the first URL in the link farm, which is likely the initial point of compromise.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meriphotographe.com/uploads/2020/01/28/4d28a03be4a30.pdf
    • https://fanusosedavin.weebly.com/uploads/1/3/0/4/130483552/3029953.pdf
    • http://loxik.best-of-world.ru/uploads/2020/01/28/gozuvadisor-jekuvugariweta.pdf
    • http://gopebeg.colorsun.ru/uploads/2020/01/28/3501621.pdf
    • http://nupoxotur.tehnika-ask.ru/uploads/2020/01/27/ranudug_gixidot_tunawi_gezerimefunig.pdf
    • http://mall-mark.com/uploads/2020/01/28/5434309.pdf
    • http://panda-opt.ru/uploads/2020/01/29/097262.pdf
    • http://unavoceensemble.com/uploads/1/3/0/3/130312980/7620169.pdf
    • http://summergazeboreadings.org/uploads/1/3/0/2/130289327/xezumupidujaxe.pdf
    • http://vizew.grmo.xyz/uploads/2020/01/27/ruxifidejonuzo_xosenenizoj_waligegup_wawodudag.pdf
    • http://wibo.feierverkspb.ru/uploads/2020/01/27/bunudabo_nozutifireni_vavoba_xefezomawesizir.pdf
    • https://dusubigujejum.weebly.com/uploads/1/3/0/3/130312951/magirorixujabuwale.pdf
    • http://kibolono.slimbiotic-shop.ru/uploads/2020/01/27/5718342.pdf
    • https://pikimipev.weebly.com/uploads/1/3/0/6/130604333/lolujiwuzekados.pdf
    • http://sec2ndwind.com/uploads/1/3/0/5/130543569/wenabedalexog_mopamujajud.pdf
    • http://nerdcampmi.com/uploads/1/3/0/4/130476605/dekevoj.pdf
    • https://retunoroxumolu.weebly.com/uploads/1/3/0/5/130590019/zaxaribudisidode.pdf
    • https://wikaripunupa.weebly.com/uploads/1/3/0/4/130436139/b6d322124758.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/5/130539437/130539437.html#difference+between+lug+and+wafer+style+butterfly+valve

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015f8.bin
5a704395ffabcc049872ef6e01942564c9e082ff44092f31475662a85d8f45b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F8 8920 bytes
font_01_sfnt_off00006535.bin
5d7ebd720715cd86529581f1d40cc643f68465477bd430d4be5ff736bc95f798		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6535 16268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.