Malicious PDF — malware analysis report

Static analysis result for SHA-256 8baf274a304e96aa…

MALICIOUS

PDF

42.3 KB Authoring application: OpenOffice Draw
MD5: 49e9e8b98f492b28f43410b100216393 SHA-1: eded4c4ac23d218fefecbbec63e20a7ec1d331cd SHA-256: 8baf274a304e96aa0322125a18fe1ecc12d8745f0f4d1a6a40d53b133ba77380
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV heuristic also flags this as a phishing-related threat. The document body text is heavily corrupted and does not provide further context on the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mosholudaycamp.com/uploads/1/3/0/6/130621045/3217048.pdf
    • http://perfectlg.org/uploads/1/3/0/4/130476649/mogokikitatesimora.pdf
    • http://1220productions.com/uploads/1/3/0/2/130272081/e381ee.pdf
    • http://mcaroadsidedeals.com/uploads/1/3/0/4/130436365/2872618.pdf
    • http://boylepublichealth.com/uploads/1/3/0/5/130589009/1fe25.pdf
    • http://nswminiaturepony.com.au/uploads/1/3/0/6/130620532/zanobe.pdf
    • http://wagnercottonwedding.com/uploads/1/3/0/7/130739591/2486713.pdf
    • http://northeastmaterials.com/uploads/1/3/0/6/130605421/a761a650.pdf
    • http://strongrootsfoundationmn.org/uploads/1/3/0/6/130622012/6687728.pdf
    • http://recreationlifestylehealth.com/uploads/1/3/0/5/130551670/vexuju_vafawotopu.pdf
    • http://michalrutkowski.net/uploads/1/3/0/6/130639363/443460.pdf
    • http://cooksinheels.com/uploads/1/3/0/3/130323311/936ee0ced9.pdf
    • http://jimmcnasby.com/uploads/1/3/0/6/130604667/46162c6667290e4.pdf
    • http://jamesagibson.com/uploads/1/3/0/4/130476403/5280744.pdf
    • http://fudodusigu.nbcoach.ru/uploads/2020/01/29/a5f43.pdf
    • http://rivumudolo.healthrating.ru/uploads/2020/01/29/adeb06a1e7.pdf
    • http://mitchcapone.com/uploads/1/3/0/4/130476112/guvofonitapi_sogoropa.pdf
    • http://tcsonline.net/uploads/1/3/0/4/130476594/fobenememul.pdf
    • http://teamjaime.com/uploads/1/3/0/2/130272435/xoditat-kutanewora-visavog.pdf
    • http://metalslitter.com/uploads/1/3/0/4/130477541/84a6f.pdf
    • http://mindfulneuropsych.org/uploads/1/3/0/5/130538956/de0d101814.pdf
    • http://ozaymobilyadekorasyon.com/uploads/1/3/0/6/130639461/siwewaweladutaberoni.pdf
    • http://niagaramedia.us/uploads/1/3/0/4/130476786/keposovuguk_mukud.pdf
    • http://mythosbaklava.ca/uploads/1/3/0/7/130738658/3111078.pdf
    • http://aroundtheworldin80minutes.org/uploads/1/3/0/6/130620532/bimeratugakinojomoje.pdf
    • http://mindforyou.org/uploads/1/3/0/5/130551416/130551416.html#general+ielts+writing+task+1+questions
    • http://recreationlifestylehealth.com/uploads/1/3/0/5/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003fa3.bin
55514cd9a16c31f9266c1509cccbd2f795ed98b635e0351c01c2ed702b024adc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FA3 8656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.