Malicious PDF — malware analysis report

Static analysis result for SHA-256 549efabe2406721f…

MALICIOUS

PDF

38.6 KB Authoring application: LibreOffice Draw
MD5: 67da0956b883b2bb244746501c0ad876 SHA-1: 40aace2b0c361e74ed106e96c8324c272471d1e1 SHA-256: 549efabe2406721f0d2940ea740a8dac8bd84bfb272ee068b508b26d574966d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection also flags it as phishing-related. The document body, though heavily obfuscated, contains references to a Bengali movie and includes many of the same URLs found in the heuristics, suggesting a lure to external content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gevogiduxiwim.weebly.com/uploads/1/3/0/4/130435741/f75819e.pdf
    • http://headphonesman.net/uploads/1/3/0/3/130313809/subedokiwumapo.pdf
    • http://mypathwaytosuccess.org/uploads/1/3/0/7/130739371/mofiperugemumudariti.pdf
    • http://njgraniteconstruction.com/uploads/1/3/0/5/130589366/5088585.pdf
    • http://suchesfarmersmarket.com/uploads/1/3/0/4/130436439/loluxi-kigalatajexu-lasozizefi.pdf
    • http://spwhoa.com/uploads/1/3/0/6/130620694/9cd91.pdf
    • http://nwm5.club/uploads/1/3/0/5/130588757/6943454.pdf
    • http://cfthomas.com/uploads/1/3/0/4/130488851/130488851.html#bengali+movie+chokher+bali

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001161.bin
8c9498c8ff5728b75bfd0fa9ffa67c4076ae1f58b93070cb47645502c16c8c05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1161 8540 bytes
font_01_sfnt_off000052ef.bin
24a40f0c9c24c31f4e84abf4b16dd01585b0ada3efa18570b63d2792f0c05475		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52EF 7108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.