Malicious PDF — malware analysis report

Static analysis result for SHA-256 42335fc337aea26d…

MALICIOUS

PDF

36.0 KB Authoring application: LibreOffice Draw
MD5: 7a7effe1fdc003d8d239a46bd42651fd SHA-1: 8300eb754b2d811d2f7663a7de1b93d4064841c1 SHA-256: 42335fc337aea26d219917f7f29cc023d370e3bfcf412e7ce3647b633c818b77
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-driving intent. No scripts were extracted from this sample, and the document body content is heavily corrupted, preventing a more detailed analysis of the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://discoveridyllwild.com/uploads/1/3/0/6/130605289/fukumegugut.pdf
    • http://nyctoursandattractionsgroup.com/uploads/1/3/0/5/130589010/rubojafa-wuduv-julosumi.pdf
    • http://www.architetturamcmm.com/uploads/1/3/0/6/130604243/3750848.pdf
    • http://www.mingyiliu.me/uploads/1/3/0/6/130620642/makalelakusi.pdf
    • http://pacficcrestcomedy.com/uploads/1/3/0/2/130289443/5103484.pdf
    • http://myovisioninfo.com/uploads/1/3/0/5/130588153/rozewelavobujo-pofomix-vipoxesadom-wasegelaba.pdf
    • http://www.chuckmize.com/uploads/1/3/0/6/130604161/301258.pdf
    • http://webuildcapital.com/uploads/1/3/0/2/130288939/7261010.pdf
    • http://wabashtees.com/uploads/1/3/0/5/130589094/9892829.pdf
    • http://memorialgraveplaques.com/uploads/1/3/0/4/130435722/985129cc8e.pdf
    • http://beshearsconsulting.com/uploads/1/3/0/6/130621351/2965643.pdf
    • http://joescarlato.com/uploads/1/3/0/6/130639939/130639939.html#exercises+to+avoid+with+herniated+neck+disc
    • http://www.architettura

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000037af.bin
4d2bd9d849d73c3364f4a0b006912004cc5ef7252d0836b96ad4fbceb323b54a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37AF 7244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.