Malicious PDF — malware analysis report

Static analysis result for SHA-256 590e16c428d91802…

MALICIOUS

PDF

36.5 KB Authoring application: OpenOffice.org
MD5: 8b7afd572ee2d5d3920a5402bfbca984 SHA-1: 385fd2a4cb29af942c1c4da029a950fe31e37645 SHA-256: 590e16c428d9180298a3fc392a44b9490e567af280dd44a735f6b733ec8e15f6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a coordinated effort to distribute malicious content or conduct phishing. The ClamAV detection further confirms the malicious nature of the file, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample, but the extensive link farm is sufficient evidence for the observed attack pattern.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://personaloutfits.com/uploads/1/3/0/6/130620327/xepufazuwu.pdf
    • http://abetamassage.com/uploads/1/3/0/6/130604195/1c0c929.pdf
    • http://modestomasonry.com/uploads/1/3/0/6/130639277/898801.pdf
    • http://mainlytechno.com/uploads/1/3/0/7/130739811/dikuvulalif_zesamukabi_rurikera.pdf
    • http://brightbuzz.biz/uploads/1/3/0/6/130605230/d7591d052e045d.pdf
    • http://iwonderwouldi.com/uploads/1/3/0/2/130289796/651363f1e90f4b5.pdf
    • http://mygreatideas.co.nz/uploads/1/3/0/4/130483155/9306699.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/6/130603850/130603850.html#stanford+diagnostic+reading+test+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000114d.bin
8454feb364f99c39c50be907d9696ccf591cec06a6282992f6e9590caeffd2af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114D 8552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.