Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dac849e18e51bc8…

MALICIOUS

PDF

73.6 KB Authoring application: OpenOffice.org
MD5: 4a6647bed809e1205f4a2cc9ab501404 SHA-1: 419c692d80b78f9b9da7fdf78644b910e7404a91 SHA-256: 1dac849e18e51bc8c36135b21488182c763b3da50078f87b033f08d203532775
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thedailystarlebanon.com/uploads/1/3/0/5/130539270/4463445.pdf
    • http://agedcarecertiii.com.au/uploads/1/3/0/3/130323293/xudupisel.pdf
    • http://www.schwartzandshapirolaw.com/uploads/1/3/0/5/130588702/kidadaxisunix-jegomafuz.pdf
    • http://courtneyscorner89.com/uploads/1/3/0/5/130589435/2594356b2b9b9ac.pdf
    • http://shop-brokenlimits.com/uploads/1/3/0/4/130436152/dukagepav-kalowevevi-fogozexopokedam.pdf
    • http://noahstylin.com/uploads/1/3/0/5/130590177/0c82cb43.pdf
    • http://freemichiganquotes.com/uploads/1/3/0/6/130639230/xegazoxurezuwa.pdf
    • http://geoffcodeswebsite.com/uploads/1/3/0/3/130379172/muxujizusa-bugisi-lekosamulepuraj-nokufe.pdf
    • http://mycrawfordcleaning.com/uploads/1/3/0/2/130274097/bejup-dabemodawevo.pdf
    • http://darklabs.co/uploads/1/3/0/4/130491271/wisusafinixebivofot.pdf
    • http://countrymusicpromo.com/uploads/1/3/0/4/130491166/7648722.pdf
    • http://www.americanrentalspecialties.net/uploads/1/3/0/5/130547024/juxutuniwerexo-sapijovoluw-jawutajemix.pdf
    • http://albertonorchids.com/uploads/1/3/0/6/130603721/rivisojel.pdf
    • http://jakebrenneise.net/uploads/1/3/0/5/130589264/sirovabexikus.pdf
    • http://iquiver.net/uploads/1/3/0/2/130291783/zewepuxarakefut-kevozaz-vavigex-subosagetamakij.pdf
    • http://www.roadadventures.net/uploads/1/3/0/6/130604798/jedob.pdf
    • http://asthethirdworldinnorthamericaturns.com/uploads/1/3/0/5/130551112/vivorulezezin.pdf
    • http://midiklorians.com/uploads/1/3/0/7/130739747/sawafegesex.pdf
    • http://quietspeculation.net/uploads/1/3/0/5/130590261/2cd40da30a8.pdf
    • http://martayogahome.com/uploads/1/3/0/6/130621915/pamabinozetedaxo.pdf
    • http://nevermetapodcast.com/uploads/1/3/0/7/130776541/2092097.pdf
    • http://www.annalisabethcraig.com/uploads/1/3/0/6/130640174/gakudexijanusikas.pdf
    • http://cjsheavyhaul.com/uploads/1/3/0/6/130620709/vozusel-golugumowa-napota-jukitifusidazi.pdf
    • http://kosmokayla.com/uploads/1/3/0/4/130489572/komexalonitir-xedumerije-vezoxidokar.pdf
    • http://hotelvic-phase2-ja.devsite-1.com/uploads/1/3/0/5/130589128/130589128.html#como+bajar+peso+a+un+archivo+pdf+en+mac

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003af5.bin
d3711f112def277c3a92632b657c868ee52629d5bc1550af367cba23b2ce2505		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AF5 8896 bytes
font_01_sfnt_off0000522d.bin
7ae50203b5c9704fa89b7781d388a6f8d6bdd3cde6659b0ab737c983617e61e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x522D 11024 bytes
font_02_sfnt_off00006b2d.bin
0ec690569684ab17203c76c44c4a1fc83328a8f82a4b54de015a3f198a6a5d9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B2D 10076 bytes
font_03_sfnt_off00008ac7.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AC7 2600 bytes
font_04_sfnt_off00009451.bin
c6dbf45170bb03a3cd3dc61e3b94d13ec38f977758978f8c14afe77b89ec482c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9451 19180 bytes
font_05_sfnt_off0000b63a.bin
8f21e84a931332d99e8680661a330d5f6fe8cead38497da4ca48cd64be796a4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB63A 11928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.