Malicious PDF — malware analysis report

Static analysis result for SHA-256 528cf5be5f6c2547…

MALICIOUS

PDF

34.6 KB Authoring application: LibreOffice Draw
MD5: 5557e01f871a729c387680be7d338260 SHA-1: 1900b64bc9e68a2d4e22b8edd2a05205d53daefa SHA-256: 528cf5be5f6c2547ba39821866bc65ad246a9c5983b0beb8f08173ab8cfb5e9c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for a link farm, containing numerous embedded URLs. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature. The primary attack pattern involves luring users through these links, likely to phishing pages or to download further malware. The document body contains obfuscated text and embedded URLs, reinforcing the phishing or malicious download lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ofa.sk/uploads/1/3/0/3/130379921/nolakolatixate.pdf
    • http://livewellnow.us/uploads/1/3/0/8/130873781/007cf767ffca3.pdf
    • http://whiskeyvegan.com/uploads/1/3/0/6/130639845/xuzolozav.pdf
    • http://warp-field.com/uploads/1/3/0/8/130814984/934b2195e7f994.pdf
    • http://www.suzitakahashi.com/uploads/1/3/0/5/130588244/telokesukovox-kibapifasa-nizox-famud.pdf
    • http://thego2gear.com/uploads/1/3/0/6/130620207/8701146.pdf
    • http://mail.cahabanewmedia.com/uploads/1/3/0/8/130814248/gapida-pamimurowiw.pdf
    • http://nataliekfitness.com/uploads/1/3/0/6/130604728/ladubodabujor.pdf
    • http://www.villageinvites.com/uploads/1/3/0/6/130605396/be8dbd350819f.pdf
    • http://mtmsmusic.com/uploads/1/3/0/3/130323302/163190.pdf
    • http://cathyhepworth.com/uploads/1/3/0/6/130639377/705ca.pdf
    • http://brushlove.ca/uploads/1/3/0/2/130287738/5789870.pdf
    • http://milwaukeegroup.net/uploads/1/3/0/3/130323449/gamiriv.pdf
    • http://4spn.com/uploads/1/3/0/4/130435644/jonovonoxemok.pdf
    • http://seanseitzrealtor.com/uploads/1/3/0/8/130813987/905345.pdf
    • http://mnhomeinteriors.com/uploads/1/3/0/6/130639277/5039460.pdf
    • http://autodiscover.sweetsbymaddie.com/uploads/1/3/0/5/130543980/xaliwiriwazevepan.pdf
    • http://dream-maker-institute.com/uploads/1/3/0/5/130589047/nizakuw_jidobo.pdf
    • http://crosleyhome.com/uploads/1/3/0/3/130313005/9667032.pdf
    • http://www.kismetbotanicals.com/uploads/1/3/0/5/130543394/wowenin.pdf
    • http://carboncrossfit.com/uploads/1/3/0/5/130545733/gawemu.pdf
    • http://pioneerwinecolorado.com/uploads/1/3/0/5/130543052/aa96e39.pdf
    • http://unique-security-solutions.com/uploads/1/3/0/5/130588468/130588468.html#joy+to+the+world+piano+sheet+music+advanced
    • http://mnhomeinteriors.com/uploads/1/3/0/6/13

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002606.bin
c6ec2d7bbcc2f9bbd91c84688b59f4128b3b0b6113ebd721d157423f4e8ff421		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2606 7744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.