Malicious PDF — malware analysis report

Static analysis result for SHA-256 860c4423b7cb3821…

MALICIOUS

PDF

40.8 KB Authoring application: LibreOffice Draw
MD5: 9511c1105539843edd940bb8450d1ae6 SHA-1: f975385b5bb1d758631d11ce10d8e13fecb6c63a SHA-256: 860c4423b7cb38211c236379432c2bcb5daa9c34b82f945f2ae84b05dec314d4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a PDF_SEO_LINK_FARM heuristic, pointing to other PDF files. This is indicative of a link farm used for SEO spam or phishing. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. The document body, though heavily obfuscated, contains embedded URLs that are part of this link farm.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://befe.orlylogistics.com/uploads/2020/01/28/6137199.pdf
    • http://weddingsinseychelles.com/uploads/1/3/0/5/130551065/3f28d4ff4895.pdf
    • http://coachingvan.com/uploads/1/3/0/2/130272095/2d002a5bc1502.pdf
    • http://wubiwajum.sparepartsjumberca.com/uploads/2020/01/27/gipawu_bigefon_korolam_vupiwasamekix.pdf
    • http://ziruzafob.gateadcc.info/uploads/2020/01/27/474d300.pdf
    • http://drrosechildcentredcounselling.com/uploads/1/3/0/5/130540026/jedimuriruxok_jiwena.pdf
    • http://blythetierneydever.com/uploads/1/3/0/4/130483629/514dbc773.pdf
    • http://ccpropertyinvestment.com/uploads/1/3/0/2/130289186/pogugavitizuvide.pdf
    • http://mshannahfreeman.com/uploads/1/3/0/6/130620460/4147816.pdf
    • http://thewell-seasonedwoman.com/uploads/1/3/0/6/130621840/potamifizokemugaw.pdf
    • http://paintinghopefoundation.com/uploads/1/3/0/6/130620847/1682104.pdf
    • http://akashachamberlain.com/uploads/1/3/0/4/130488213/5144931.pdf
    • http://miamfoundation.org/uploads/1/3/0/4/130435633/fafobo-pakipote.pdf
    • http://ncslibrary.org/uploads/1/3/0/6/130621205/c9ea72c28ed6ee.pdf
    • https://kudefinigumol.weebly.com/uploads/1/3/0/2/130270907/8bc175339b43.pdf
    • http://jeffersongathering.com/uploads/1/3/0/5/130588405/e1c90556597d4.pdf
    • http://jijejo.iviik.icu/uploads/2020/01/27/kotedipesulon_gedew_puragokilasawu_nexusuv.pdf
    • http://virginiaconcretepaving.com/uploads/1/3/0/4/130483918/00c79ae7b.pdf
    • http://michaudwellness.com/uploads/1/3/0/2/130273842/130273842.html#yelawolf+bloody+sunday+mp4

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015ee.bin
77b39829035c107629270acb8fd3324ebe45dd353932e57b42b61bca51beccd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EE 8468 bytes
font_01_sfnt_off00005894.bin
1a48559509f7f75063a877bee3d72c2f3225c728dd953cebf65f9a5167f6cbd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5894 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.