Malicious PDF — malware analysis report

Static analysis result for SHA-256 2626cc3cabad7f61…

MALICIOUS

PDF

39.6 KB Authoring application: LibreOffice Draw
MD5: 20e305a4db9b22821e32447d9d776004 SHA-1: 506d2bf2cb055acbcb355a83846b364ba404cf18 SHA-256: 2626cc3cabad7f616caad0021210d54fc0f52d8c1f6ca77fe791f7575ed105e6
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a large number of embedded external links, a technique commonly used for SEO poisoning and phishing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious download intent. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of a link farm, suggesting an attempt to drive traffic to malicious sites. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vanutitek.weebly.com/uploads/1/3/0/4/130435725/boneborama.pdf
    • http://migrod13.com/uploads/1/3/0/6/130604032/fajawagaki.pdf
    • http://kissbotr.com/uploads/1/3/0/2/130287394/e5ce3fcd4d5e1.pdf
    • http://bestsellersdeal.nl/uploads/1/3/0/2/130272384/4525253.pdf
    • http://hamcox-ray.com/uploads/1/3/0/7/130740192/zojaxaxowezuroweguf.pdf
    • http://citasonlinepasaporte.com/uploads/1/3/0/5/130589094/6c89cee83ee0d6.pdf
    • http://lagosjobsite.com/uploads/1/3/0/2/130291434/8365992.pdf
    • http://openpaw.net/uploads/1/3/0/6/130605390/269f47e441.pdf
    • http://abettertravelagency.com/uploads/1/3/0/6/130620950/3363584.pdf
    • http://ntkdomains.com/uploads/1/3/0/5/130589014/pogima-sevuganoj-jexej.pdf
    • http://seizediem.com/uploads/1/3/0/5/130550874/130550874.html#appsc+group+2+2017+paper+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000122e.bin
20949b9643f963778126c6ac1f5d9ecc320c5711fe56f11397387b55cd85c612		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122E 8132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.