Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a16fcf741ef3028…

MALICIOUS

PDF

114.7 KB Authoring application: LibreOffice Draw
MD5: 175b2a8b2acb2fca0711ad1e1ea66966 SHA-1: 760b6b5a93c0e85f3a2c123674df0ddc3e6593f1 SHA-256: 2a16fcf741ef302864bf18fbcc9250fb07c6f132f6b8fb12979de6ea4fa320e3
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1059.001 PowerShell

The document exhibits characteristics of a phishing or social engineering attack, specifically by requesting sensitive recovery information and presenting a large number of external links. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document instructs the user to interact with command-line interfaces, suggesting an attempt to execute commands or exfiltrate data. The presence of numerous external PDF links points towards a link farm or redirection strategy to host malicious content.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nshslibrary.org/uploads/1/3/0/2/130270963/dusidezikajufevotodo.pdf
    • http://thebesticecreamandcoffeesolvang.com/uploads/1/3/0/6/130604085/9d12b122fe7.pdf
    • http://16365redington.com/uploads/1/3/0/4/130490221/134518.pdf
    • http://veryrio.com/uploads/1/3/0/5/130546354/sukeseve.pdf
    • http://northforklife.net/uploads/1/3/0/4/130483184/6073609.pdf
    • http://totalnonsensebycashion.com/uploads/1/3/0/5/130590462/7432530.pdf
    • http://aseanbamboocongress2019.org/uploads/1/3/0/2/130274338/8877132.pdf
    • http://misbailes.com/uploads/1/3/0/7/130776037/130776037.html#arcsight+esm+6.+9+admin+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001307.bin
1a2649b5f3599b0a83b3f9866d52870be585a9f0f57817085a19f090336ec059		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1307 10004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.