Malicious PDF — malware analysis report

Static analysis result for SHA-256 2623cef4209b62a7…

MALICIOUS

PDF

40.2 KB Authoring application: LibreOffice Draw
MD5: 8c173162cc3baef64d35dddb1571d24f SHA-1: 5de432e3d7562fc52acfcaa56fc8c5d69dd1b20d SHA-256: 2623cef4209b62a73e9765eb003dc65fddef74c4edebc446f4636a601e867fbd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. The heuristic PDF_SEO_LINK_FARM indicates a link farm, and the ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 suggests a phishing or traffic-driving purpose. The document body, though heavily corrupted, contains references to URLs that align with the link farm heuristic. The primary attack pattern involves directing users to these external links, likely to deliver further malicious content or conduct phishing.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xeromej.zayavka-na-kredit.com/uploads/2020/01/28/5797452.pdf
    • http://basi.med555.ru/uploads/2020/01/27/rokanumuko-lezivadesex-moxis.pdf
    • https://vuvajopipebojix.weebly.com/uploads/1/3/0/6/130603978/jomozabakusulo-bukutepapuxej.pdf
    • http://blackjacktrashit.com/uploads/1/3/0/4/130435834/2148099.pdf
    • http://limopifib.ecsog.ru/uploads/2020/01/27/8680537.pdf
    • https://nudexizibax.weebly.com/uploads/1/3/0/2/130271212/vogurekad-jetal-xozufe-dibewulelutofol.pdf
    • https://tivexinixiwur.weebly.com/uploads/1/3/0/4/130483389/3035408.pdf
    • https://kuzovokinazebuk.weebly.com/uploads/1/3/0/2/130288419/5446819.pdf
    • https://fikavidipilotu.weebly.com/uploads/1/3/0/2/130287505/sekinijames.pdf
    • http://witoxutek.digitalcodesnet.com/uploads/2020/01/27/dajezalobusog-judasojax.pdf
    • http://cafe-oldbaku.ru/uploads/2020/01/29/8f0e1741151.pdf
    • http://javinewal.blogmale.pw/uploads/2020/01/27/659cdd40f16.pdf
    • http://powosopo.shtory.pro/uploads/2020/01/28/gadutoga.pdf
    • http://xapa.russtin.com/uploads/2020/01/27/5827478.pdf
    • https://zilukepezos.weebly.com/uploads/1/3/0/5/130588214/fufubivoxam-sowinokej-dumapapogevojij-nukevorinomo.pdf
    • https://tuvosoxofiwixu.weebly.com/uploads/1/3/0/5/130550675/789210.pdf
    • https://betepojizilos.weebly.com/uploads/1/3/0/3/130323164/2507815.pdf
    • http://sweetestdreams.org/uploads/1/3/0/5/130590323/130590323.html#mass+effect+2+romance+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001586.bin
1470ce8f2b14c4cf5cadaf358ade1efcf19cdd6dd98f3f7ac7647f2f77a77136		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1586 8828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.