Malicious PDF — malware analysis report

Static analysis result for SHA-256 44c1911b7ced37dc…

MALICIOUS

PDF

65.5 KB Authoring application: LibreOffice
MD5: 3b6ce9f58036fe7063b732b1c1271988 SHA-1: 4bb9277bbfc83aa4dd6c0cf7e46609e8bb2e5268 SHA-256: 44c1911b7ced37dc7af30386a57123dbb118d4ce77e98c362d76e74220a21add
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicative of a link farm designed to redirect users to potentially malicious content. The document body, though heavily obfuscated, contains several of these URLs, reinforcing the phishing or malware distribution intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sailfishchair.com/uploads/1/3/0/6/130620168/7939150.pdf
    • http://bandmcrushers.com/uploads/1/3/0/6/130604563/329554.pdf
    • http://thatadguy.net/uploads/1/3/0/7/130776291/furadinov.pdf
    • http://cpanel.xenastrategies.com/uploads/1/3/0/5/130588849/fobuve_gipafagolepuvob_tepirasipaximi.pdf
    • http://brennankryan.com/uploads/1/3/0/7/130739934/6095488.pdf
    • http://triptexts.com/uploads/1/3/0/3/130313582/9253906.pdf
    • http://rent2buykelowna.com/uploads/1/3/0/6/130639282/5168c91dc.pdf
    • http://poppies-daycare.co.uk/uploads/1/3/0/7/130775228/2751708.pdf
    • http://bigdaddycocktails.com/uploads/1/3/0/4/130483783/tenokuwep.pdf
    • http://www.recruiting2care.com/uploads/1/3/0/4/130483923/90de1307b300.pdf
    • http://mirthrot.net/uploads/1/3/0/6/130621439/fffcd7e601d8.pdf
    • http://www.benhasefer.com/uploads/1/3/0/3/130323568/8160189.pdf
    • http://insidefrancishead.com/uploads/1/3/0/5/130544968/6764533.pdf
    • http://www.linzilaufenberg.com/uploads/1/3/0/7/130740140/8835421.pdf
    • http://juneauquickcare.com/uploads/1/3/0/5/130539034/vasujinegusozi_taxijimutejarer_mukujazigafo_kekezanumufe.pdf
    • http://mindbodyevolution.org/uploads/1/3/0/5/130589435/nokujub_kedasanasirilo.pdf
    • http://legacyteamchallenge.com/uploads/1/3/0/5/130544243/b7f2195e0.pdf
    • http://crystalcoastrun.org/uploads/1/3/0/3/130313064/58ba919.pdf
    • http://www.professorkenney.com/uploads/1/3/0/5/130538937/df65ba7e89b9.pdf
    • http://henryeveryllc.com/uploads/1/3/0/5/130540507/8783821893bf2.pdf
    • http://avikat.com/uploads/1/3/0/6/130621361/bivijokimidofuz_pibise_siruzekagelig.pdf
    • http://morgan.team/uploads/1/3/0/7/130775258/fdad95078b7dec.pdf
    • http://yinghuangwangshangyule.br3h.com/uploads/1/3/0/2/130289653/130289653.html#ampere%27s+law+derivation

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011cb.bin
ebfe92575837363f263a1e36675fcdcd418ab29fa845c1d31d7e008b30211f67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CB 9944 bytes
font_01_sfnt_off0000a0ba.bin
e354391bd8f2a5dd78d544bdc03be45900ab539e3280afa94fb47c829b24dd62		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0BA 3292 bytes
font_02_sfnt_off0000abcc.bin
144661a4f27aca4d086604d7d2668d16b4cd8d8bc1654c30935eeaedebe1dcc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABCC 16528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.