Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe9562dfe8260be4…

MALICIOUS

PDF

38.0 KB Authoring application: SWFTools
MD5: 66552f1821c76bac91fc5a299eaa8cf5 SHA-1: 3026dc2623e5533734916a84da426909532359ef SHA-256: fe9562dfe8260be4fee09520bff809f600a11cdcf28d7ba008cf2ca2c8782e68
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted across multiple domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection further supports its malicious nature. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://betterbrainscience.com/uploads/1/3/0/6/130605146/ranevemewawa.pdf
    • http://ipnetworkflorida.net/uploads/1/3/0/6/130639217/nalubok.pdf
    • http://skokiepainters.com/uploads/1/3/0/4/130476912/7434340.pdf
    • http://brightonbeer.com/uploads/1/3/0/5/130544687/kuzurizogasavo.pdf
    • http://battagliaresearchgroup.org/uploads/1/3/0/5/130539657/wegeriwemezoro.pdf
    • http://siouxcitypropainting.com/uploads/1/3/0/6/130639220/danafavosuva.pdf
    • http://aysenurguler.com/uploads/1/3/0/5/130588390/30136.pdf
    • http://my365tutors.net/uploads/1/3/0/7/130775986/wewipepo_firete_jowitikojivol_mutowifuxojugi.pdf
    • http://mtgcoop.com/uploads/1/3/0/6/130639721/boleretejuduw.pdf
    • http://whollymos.com/uploads/1/3/0/6/130621357/nuzunatowune-rijive-vanadef.pdf
    • http://northcricklodge.com/uploads/1/3/0/7/130740213/tepufed_lotusuv_jimemefa.pdf
    • http://english-log-cabins.com/uploads/1/3/0/7/130739456/wubalugojomeregaf.pdf
    • http://rebeccavandover.com/uploads/1/3/0/6/130604859/rexukogomojevugo.pdf
    • http://feel-well.org/uploads/1/3/0/2/130291838/130291838.html#antibiotics+to+treat+gum+abscess
    • http://my365tutors.net/uploads/1/3/0/7/130775986/wewipepo_firete_jowitikojivol_mut

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003bd6.bin
53a3c61381afb769a47cdfb203c5cf7e560acbbb81cb3e90dbed82445656edab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BD6 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.