Malicious PDF — malware analysis report

Static analysis result for SHA-256 37bb0097b890a034…

MALICIOUS

PDF

36.4 KB Authoring application: LibreOffice Draw
MD5: d1c52d2e45228f504e2e29ecc4abaf4e SHA-1: 6fb406b7080a51b3a668311472c19b963d2aed00 SHA-256: 37bb0097b890a034590d9afb8feeae77133870c68ac692696c0cb1fffab5013c
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm designed to redirect users to malicious sites. The SE_ADVANCE_FEE_SCAM_LURE heuristic indicates the document's content is designed to trick users into believing they are involved in a financial transaction or prize claim. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://genuinefenderparts.com/uploads/1/3/0/2/130271023/zovavesa_waxab_wilifokizufeti.pdf
    • http://apexformulas.com/uploads/1/3/0/8/130874066/0258c6fb76a5c.pdf
    • http://deckplans.voyagerwebsites.com/uploads/1/3/0/5/130542822/e2fce852e1f79.pdf
    • http://vexirmx.com/uploads/1/3/0/5/130551072/3108608.pdf
    • http://ancientartstone.net/uploads/1/3/0/5/130588601/476306.pdf
    • http://mimiwong.net/uploads/1/3/0/4/130489097/xekip-dixutisotana-kubusinusituser.pdf
    • http://simplyinspiredwords.com/uploads/1/3/0/4/130490687/letusumesed.pdf
    • http://temuyeme.com/uploads/1/3/0/9/130968911/7339193.pdf
    • http://namiwashcounty.org/uploads/1/3/0/7/130740062/duvadotemipi.pdf
    • http://nathansdetailing.net/uploads/1/3/0/6/130604022/144431.pdf
    • http://www.larasadadventures.com/uploads/1/3/0/4/130436272/5ff34.pdf
    • http://ajhollowayministries.com/uploads/1/3/0/4/130483552/812794.pdf
    • http://sahalbooks.com/uploads/1/3/0/4/130483817/folojiperisobibad.pdf
    • http://slatteneyecare.com/uploads/1/3/0/7/130738754/kefokulugaturum.pdf
    • http://ackoeltechniek.nl/uploads/1/3/0/6/130604562/rozazizemomidexoma.pdf
    • http://thingraniteveneer.com/uploads/1/3/0/6/130621587/rokaze-dojatu-buwaf.pdf
    • http://clavelia.com/uploads/1/3/0/6/130605244/760807.pdf
    • http://adsl-63-204-18-30.benefitplans.org/uploads/1/3/0/2/130287266/130287266.html#counter+guarantee+standby+letter+of+credit
    • http://simplyinspiredwords.com/u

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034a4.bin
ab2c9f13ed572063747ca61c656f809153ea90b91342f7e31860919fa000916e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34A4 6864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.