Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f2469e8f0a83c56…

MALICIOUS

PDF

50.0 KB Authoring application: OpenOffice.org
MD5: e903358bab9c3048be19cc9f0867ebdd SHA-1: 80dfebd03cc2ed8eb443b2d28212ce2cf2b90ad0 SHA-256: 3f2469e8f0a83c56b6eca9d12115a621cc0e5796c2aba851d76b379fdb1a5108
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body also contains a lure instructing the user to enable macros or editing, which is a common technique for malware droppers. The ClamAV detection further supports the malicious nature of the file. The primary attack pattern involves redirecting users to external PDF files hosted on various domains.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kevangoble.com/uploads/1/3/0/6/130621958/bokaw.pdf
    • http://alexantic.com/uploads/1/3/0/7/130775762/guxezuxuno_lamuxapan.pdf
    • http://portlandharborwatertaxi.com/uploads/1/3/0/3/130379181/nelivajov.pdf
    • http://k9designwarroad.com/uploads/1/3/0/8/130874289/dadebe.pdf
    • http://nytsattui.com/uploads/1/3/0/6/130603983/ae421c.pdf
    • http://stgeorgestucco.com/uploads/1/3/0/5/130545565/fenavabirumafiwugat.pdf
    • http://metdonuts.com/uploads/1/3/0/2/130272414/3075613.pdf
    • http://nycmedicalmarijuana.com/uploads/1/3/0/5/130539325/8645203.pdf
    • http://mommasblingthing.shop/uploads/1/3/0/6/130620955/2052505.pdf
    • http://alloexo.com/uploads/1/3/0/5/130538862/600d1e1e1.pdf
    • http://lets-split.com/uploads/1/3/0/5/130540146/mideve.pdf
    • http://writing-raven.com/uploads/1/3/0/7/130740393/getumuli.pdf
    • http://bishophomeservices.com/uploads/1/3/0/6/130605237/9543160.pdf
    • http://sonomacountyhardmoneyloans.com/uploads/1/3/0/6/130621850/rapasatidil_xowagikanen.pdf
    • http://strengthsgrid.com/uploads/1/3/0/4/130483513/387614f662bb6f.pdf
    • http://oliverapps.net/uploads/1/3/0/7/130776865/e952a8ca02ff13.pdf
    • http://humpysbarandgrill.com/uploads/1/3/0/9/130969405/vevepinelob.pdf
    • http://web5.pleasingfood.com/uploads/1/3/0/6/130604354/130604354.html#how+to+copy+pdf+to+microsoft+word

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e87.bin
efe41cb4757344bda3dd1affbfa1d1fc6d539c0708bc1541b179df59fdef8392		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E87 6412 bytes
font_01_sfnt_off00004dcd.bin
21e1b98dceec3e7b35dd2e2921961b3b1dfa48b804fe521582c9abeaaf9b26e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DCD 16440 bytes
font_02_sfnt_off00006692.bin
753d5b36cae22fb6ea25c93100d9ce1a9c09ba3feb9ce7a487dc51efdc7fe8da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6692 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.