Malicious PDF — malware analysis report

Static analysis result for SHA-256 45e7f4223eb4caac…

MALICIOUS

PDF

35.7 KB Authoring application: OpenOffice Draw
MD5: 5de5148b66028b7c5537a588e8309aff SHA-1: 51240fb7d2d7d3aeb4458e080611c20af9f5a041 SHA-256: 45e7f4223eb4caace360481257f6306f25b97a893721f21af320369b52a07859
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This technique is often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious distribution intent. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thecultivationofclarity.com/uploads/1/3/0/5/130588705/ledizezelaguw.pdf
    • http://doolbymobiledraws.com/uploads/1/3/0/7/130740027/kupalokowef.pdf
    • http://www.archetopehealth.com.au/uploads/1/3/0/5/130539612/litopajav.pdf
    • http://rootsandroyalty.com/uploads/1/3/0/2/130272348/1397847.pdf
    • http://cygnetsmagazine.com/uploads/1/3/0/6/130603673/bitotejunawodejun.pdf
    • http://www.sweetsevencakes.com/uploads/1/3/0/5/130538831/51c5e.pdf
    • http://thrivelc.org/uploads/1/3/0/7/130775862/vojevavabibodasuraxu.pdf
    • http://wagnercottonwedding.com/uploads/1/3/0/4/130489168/6554490.pdf
    • http://magicalcryptofriends.org/uploads/1/3/0/5/130544390/67563.pdf
    • http://dragonclasp.com/uploads/1/3/0/5/130540049/dumivu_poxili_dowaxisok.pdf
    • http://jeremyandkristina.com/uploads/1/3/0/5/130543538/kadidefokepixisijul.pdf
    • http://seattlegirlslacrosse.com/uploads/1/3/0/7/130775868/bomexix.pdf
    • http://soulpunk.net/uploads/1/3/0/2/130291453/kofag.pdf
    • http://bjoylash.com/uploads/1/3/0/5/130543979/4476223.pdf
    • http://millerspowdercoating.com.au/uploads/1/3/0/5/130539497/ed65dd.pdf
    • http://southbridgewbc.devsite-1.com/uploads/1/3/0/5/130588769/130588769.html#tp-link+router+access+point
    • http://dragonclasp.com/uploads/1/3/0/5/130540049/dumivu_poxili_dowa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030e9.bin
1b4824ab757d83a1a010e540882b35530073d7414aece1f555ca6cf8c3f712e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30E9 7824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.