Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cde391cb97411fe…

MALICIOUS

PDF

39.1 KB Authoring application: LibreOffice Draw
MD5: 3c8490aeb167e4e26a5661560d425701 SHA-1: d5950d296af200ac950f56de168413a38855bc6d SHA-256: 2cde391cb97411fe45f12f6848c74aedb2ca78e315dd39d25bb9da90bfee72ba
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files, a technique commonly used for SEO poisoning and to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports this. The document body, though heavily obfuscated, contains references to URLs that are likely part of this link farm, aiming to redirect users to malicious sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://talesofthetravelingnurse.com/uploads/1/3/0/4/130476844/medagewujenedima.pdf
    • http://adamholtindustries.com/uploads/1/3/0/5/130541924/fikekiwe-notafa.pdf
    • http://rovofewaro.vipiski-besplatno.icu/uploads/2020/01/27/4575534.pdf
    • http://alphamediaagency.com/uploads/1/3/0/5/130589031/1147618.pdf
    • http://wirun.maturitas.ru/uploads/2020/01/28/9715489.pdf
    • https://wasekozelenuko.weebly.com/uploads/1/3/0/5/130539583/a9ba54.pdf
    • http://dancinggoatsanctuary.com/uploads/1/3/0/4/130435941/130435941.html#holy+bible+apk+kjv

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010f6.bin
f3d1968190f4c8bac10027eadb860857bbdf71efefebcd6e10567007a99baded		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F6 7924 bytes
font_01_sfnt_off000051e2.bin
677e71428f97d697e1d37b94920902cc1f79d6c40420e53eae369df573da2ac3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51E2 16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.