Malicious PDF — malware analysis report

Static analysis result for SHA-256 264957292154911f…

MALICIOUS

PDF

47.1 KB Authoring application: LibreOffice Draw
MD5: 47c271022bd26327c6b0fa9a26c9b513 SHA-1: 12e37172ec1bdd5e348a43c0ffa65e683f24531b SHA-256: 264957292154911f5bb704d8ef8373a2094ba8bd9b1000ee130746b45d04b84b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to distribute malicious content or manipulate search engine results. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://refi-llc.net/uploads/1/3/0/6/130604948/7032186.pdf
    • http://sarahvermette.ca/uploads/1/3/0/3/130323957/7863348.pdf
    • http://thefourmonthnightmare.com/uploads/1/3/0/4/130483653/bawoda.pdf
    • http://morrisseauartist.com/uploads/1/3/0/5/130541837/87a96da9486f.pdf
    • http://salonfoundry.com/uploads/1/3/0/7/130740561/lopawapa-naxupenevenuti.pdf
    • http://74-123-73-130.mgwnet.com/uploads/1/3/0/9/130969062/fifolojunaz.pdf
    • http://nrsmallgroups.com/uploads/1/3/0/7/130775431/0181df11b7dee.pdf
    • http://roseandfifth.com/uploads/1/3/0/2/130271072/6394da31f145f4.pdf
    • http://www.s-97.com/uploads/1/3/0/8/130813982/nubod.pdf
    • http://www.dazzlingbomshellspaparazzijewelrybykira.net/uploads/1/3/0/5/130588827/fezira.pdf
    • http://byblair.co/uploads/1/3/0/5/130544889/2907344.pdf
    • http://autodiscover.mysxbx.com/uploads/1/3/0/6/130603929/tetij.pdf
    • http://myentouragemusic.com/uploads/1/3/0/7/130775905/matozituxa.pdf
    • http://mrjrealtalk.com/uploads/1/3/0/7/130775660/zoxopojeme.pdf
    • http://nsanzineza.com/uploads/1/3/0/5/130543418/nerevi.pdf
    • http://myprestigedayspa.com/uploads/1/3/0/8/130873737/jawolasezowifal.pdf
    • http://beemyhoneyapiary.com/uploads/1/3/0/4/130489363/fa0f6.pdf
    • http://myprimeday.com/uploads/1/3/0/5/130539165/dozavewuses.pdf
    • http://drzimmermann.org/uploads/1/3/0/5/130551526/9767538.pdf
    • http://thebaliqueen.com/uploads/1/3/0/2/130287548/rujonafipineka_vekaloresixuz.pdf
    • http://2021cruises.com/uploads/1/3/0/6/130639848/xunusuzenijarisexe.pdf
    • http://www.visionheli.com/uploads/1/3/0/3/130313212/veporasexibutej.pdf
    • http://bwstook.com/uploads/1/3/0/4/130483961/lukugo.pdf
    • http://ashenai.com/uploads/1/3/0/2/130271255/kazajefupo.pdf
    • http://mymmtx.com/uploads/1/3/0/3/130312920/vivopuje.pdf
    • http://kelbels.org/uploads/1/3/0/6/130639203/130639203.html#theoretical+yield+of+aspirin+equation
    • http://sarahvermette.ca/uploads/1/3/0/3/130323

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000467c.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x467C 2652 bytes
font_01_sfnt_off00005298.bin
4131b5375f50cdf065524280612d0da98e624dbaf916ed9b8b564eead29ab085		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5298 8484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.