Malicious PDF — malware analysis report

Static analysis result for SHA-256 1be7198f29e2aef1…

MALICIOUS

PDF

32.9 KB Authoring application: LibreOffice
MD5: 8d513047dabc752e91be8125f8327e30 SHA-1: cf1fe9505e90e98eb9ae65b483411fd55f246f6c SHA-256: 1be7198f29e2aef1610d4f6de245f1ae06a97e53559d2de588cf17c809f7cda2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, characteristic of a link farm designed to direct users to potentially malicious content. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, with 'koawarriors.com' being the dominant host, suggesting a phishing or malware distribution scheme.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://koawarriors.com/uploads/1/3/0/6/130621895/baxilakebi.pdf
    • https://vekuwixikapip.weebly.com/uploads/1/3/0/4/130488442/xoresijezekafa.pdf
    • http://wixopu.nerosistema7.pro/uploads/2020/01/28/baa8ed4d68160.pdf
    • http://bacudel.com/uploads/2020/01/28/lenuvotafo.pdf
    • http://voteforuniversity.online/uploads/2020/01/28/9a8d36e.pdf
    • https://tisawatuv.weebly.com/uploads/1/3/0/2/130288557/jejej.pdf
    • http://mgpl-maa.com/uploads/1/3/0/6/130621893/34f02d.pdf
    • http://campingdishwasher.com/uploads/1/3/0/6/130621111/padanutexeluna.pdf
    • http://wapiwadur.solidstore.online/uploads/2020/01/28/5170938.pdf
    • http://collegeauditionsupport.com/uploads/1/3/0/6/130620429/c40a060e.pdf
    • http://nichellejensen4orem.com/uploads/1/3/0/4/130491947/4a8a46dfc2472ff.pdf
    • http://auntkates.com/uploads/1/3/0/5/130538925/tekesaj-mimatevagufo.pdf
    • http://coloquioespanacee1979-2019.com/uploads/1/3/0/5/130545098/130545098.html#sedentos+por+avivamento+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012fe.bin
746449a3e56e93610c4d5b38242d0b01c75edbbaccf4b0b4e52dd8d2166abaa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FE 9632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.