Malicious PDF — malware analysis report

Static analysis result for SHA-256 8896b1566cc69046…

MALICIOUS

PDF

42.5 KB Authoring application: Scribus
MD5: d96f5f06ccd0024cf31f5a45113a3f0e SHA-1: 78292a1166bbfbbde3af85427fd616788ee71b79 SHA-256: 8896b1566cc690467014fae9c5e5fedcce4a034c65b38ed4e306a40cd52e4edd
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document's content actively prompts the user to install a browser extension or update. This social engineering tactic, combined with the link farm, suggests the primary goal is to trick users into downloading and executing further malicious payloads or revealing credentials.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://derekloginoffshoretrust.com/uploads/1/3/0/2/130291575/7001177.pdf
    • http://pacesettersinstitute.com/uploads/1/3/0/5/130588232/lazitejin_tobururolo_seziwijugeruja.pdf
    • http://muchzeal.com/uploads/1/3/0/5/130539450/memefulusimi-fevogizesoz-julikudexifag-bawojugopote.pdf
    • http://adriana-bachmann.com/uploads/1/3/0/6/130605190/weraligukusepari.pdf
    • http://rrhsartclub.com/uploads/1/3/0/6/130604161/sesipukapigap_vegezeradasidom_gulen.pdf
    • http://tafski.org/uploads/1/3/0/5/130540504/1c88534915.pdf
    • http://staywhole.net/uploads/1/3/0/2/130270799/vaguradomimi_rusogo_vemefejo_fivisozekiv.pdf
    • http://nakedyogadallas.com/uploads/1/3/0/7/130740232/4daeaeaffeba.pdf
    • http://royalglossbrat.com/uploads/1/3/0/5/130546153/046dcd5b7d.pdf
    • http://clutteroftheday.com/uploads/1/3/0/5/130551219/6008130.pdf
    • http://steverodemsconsulting.com/uploads/1/3/0/6/130620626/6232313.pdf
    • http://norciagala.com/uploads/1/3/0/6/130620563/130620563.html#togaf+9+foundation+study+guide+4th+edition+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000133e.bin
7a7a794cc126308cfb9a855ae9fe79139f1c9954e484d625ef4a3b1d04f48138		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133E 8176 bytes
font_01_sfnt_off00005f8b.bin
6db2f878e0fd57d3a351d0d81a5ccd7b58f68df6728dadc3aee3ebeb1a1d6e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F8B 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.