Malicious PDF — malware analysis report

Static analysis result for SHA-256 56264c11b2a8cbbd…

MALICIOUS

PDF

39.5 KB Authoring application: OpenOffice.org
MD5: 681b3e39e3554cdfe4b861f4ebad7da4 SHA-1: 9f3dc39d29dfc968114e5beddcbdeac4f8bc2050 SHA-256: 56264c11b2a8cbbd3a3ef56d0ab9ed27e4fc1cb68ad1bd2435826aa3cadb48d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified as a link farm, which is a common technique for phishing and distributing malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of the file. The embedded URLs likely lead to further malicious content or phishing pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jongpancingbetta.com/uploads/1/3/0/7/130739450/fuvawez_nemove.pdf
    • http://navgardenforgirls.com/uploads/1/3/0/4/130476263/becfc98fa98d77.pdf
    • http://socialoverlay.net/uploads/1/3/0/2/130287799/visuguw.pdf
    • http://aliveconsultancy.org/uploads/1/3/0/6/130620551/70edac.pdf
    • http://blackgypsymamawagon.net/uploads/1/3/0/7/130739254/dikegexadezerezite.pdf
    • http://www.5280temp.com/uploads/1/3/0/8/130874237/batazoxomav_bibuj_mutipakilose.pdf
    • http://thegiftshop75.com/uploads/1/3/0/9/130969407/ddd6546dec896.pdf
    • http://digitalcityproductions.com/uploads/1/3/0/8/130813732/xalitazetunuji-woxafuk-mitipig-kopuxojuvov.pdf
    • http://briannamalottinteriors.com/uploads/1/3/0/5/130550911/zitixanakidom.pdf
    • http://hostmaster.executive-ecoaching.com/uploads/1/3/0/6/130605028/8636568.pdf
    • http://host90.carmichaelnl.com/uploads/1/3/0/6/130639632/130639632.html#umbilical+hernia+with+omentum

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043ff.bin
84ca22f314a79f1d78696ae2c3e0ea7117a7ebf17846163228afbbe09d59ff44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43FF 8580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.