Malicious PDF — malware analysis report

Static analysis result for SHA-256 4663e19ab5c4a965…

MALICIOUS

PDF

51.1 KB Authoring application: LibreOffice
MD5: 78ab94520251c12c6ff5678aa9cb5462 SHA-1: de86d5bab112988b29724da31bf1e762f701c15a SHA-256: 4663e19ab5c4a9657a544e9e5a66dde0a936f29ba49fa0896c2b4b475896c02e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a PDF SEO link farm. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' suggests a phishing or traffic-driving intent. The embedded URLs are likely used to redirect users to malicious content or to manipulate search engine results.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.newenglandbusinesscenter.com/uploads/1/3/0/4/130483939/tusavimagixuzusi.pdf
    • http://blocktekcapital.com/uploads/1/3/0/5/130588744/96fcd3d4.pdf
    • http://rchurchspokane.org/uploads/1/3/0/7/130739459/3ea699a8b9cdd.pdf
    • http://roslyn.online/uploads/1/3/0/2/130289663/62a3b53b7a.pdf
    • http://southernor.com/uploads/1/3/0/5/130539696/3656769.pdf
    • http://nomadic-chris.com/uploads/1/3/0/3/130323767/4559771.pdf
    • http://onlinemobilesp.shop/uploads/1/3/0/7/130776612/f7e2e5.pdf
    • http://tagmusichk.com/uploads/1/3/0/2/130289797/99c401.pdf
    • http://laurabeardart.net/uploads/1/3/0/2/130291033/2219671.pdf
    • http://webdisk.stefanaarnio.com/uploads/1/3/0/7/130739719/jates_lifevoxepuboku_varatezuvesi.pdf
    • http://www.misogionline.com/uploads/1/3/0/5/130588624/354780369c.pdf
    • http://bikespinning.com/uploads/1/3/0/5/130589179/kofajosi.pdf
    • http://www.michaelwarrenmurphy.net/uploads/1/3/0/4/130477026/wujamediletaxenazi.pdf
    • http://beyourselfie.net/uploads/1/3/0/4/130436226/8685583.pdf
    • http://dancetodaybiz.com/uploads/1/3/0/5/130590036/vojur_keduli_soxeniwumejuz.pdf
    • http://www.christianleclerc.me/uploads/1/3/0/6/130639782/vikitulawijaxuveja.pdf
    • http://journeyfilms.net/uploads/1/3/0/5/130589309/2e59a57decd1.pdf
    • http://iamprovidence.net/uploads/1/3/0/6/130620451/jusoru_fodepav_xapiruk_nulavut.pdf
    • http://pepctest.org/uploads/1/3/0/5/130589228/nulogaku.pdf
    • http://terrasuaka.com/uploads/1/3/0/3/130323523/xelapikilenon.pdf
    • http://localfrio.net/uploads/1/3/0/2/130289433/fosinikinuzijam-dumotud-keguluv-vapisef.pdf
    • http://webmail.fairbanksfamilywellness.com/uploads/1/3/0/3/130379651/dudibuxijovatin-togojoretidu.pdf
    • http://www.31099grandview.com/uploads/1/3/0/2/130273790/kimuxezo-tenisigute-bixepofuwules-zifek.pdf
    • http://capefearforge.com/uploads/1/3/0/6/130604724/130604724.html#algebra+word+problems+questions+and+answers+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bef.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BEF 16060 bytes
font_01_sfnt_off00006369.bin
3ddb9d4339ccb252eae8b1fc17d34decbf60bff73d7ee46e4b8a85179493c76e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6369 8716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.