Malicious PDF — malware analysis report

Static analysis result for SHA-256 91fa21a44d9eea3b…

MALICIOUS

PDF

33.4 KB Authoring application: LibreOffice
MD5: 2d5b96fdd3e4e270194bf4fa103d683a SHA-1: ebca50d9c5a152fa53796c2c03ce10e8cd54d74b SHA-256: 91fa21a44d9eea3b7619d2359f1e71f91e4678db8033e764d4473b66e52d2842
162 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: User Execution T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains a link farm pointing to multiple external PDF documents, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document's content likely prompts the user to install a browser extension or update. This combination suggests a phishing or malware delivery attempt. No scripts were extracted from this sample, limiting further analysis of its execution behavior.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sproutmagazine.org/uploads/1/3/0/4/130488105/8deb6957330.pdf
    • http://koahspeargun.com/uploads/1/3/0/3/130323232/7dc2a81b50.pdf
    • http://lenka-photography.com/uploads/1/3/0/6/130621426/latiri-xagis-xodasazejapi-vivebogupum.pdf
    • http://wojubula.impotenz-selbsthilfe.site/uploads/2020/01/28/kubidodagelivixovin.pdf
    • http://dealingwithstuff.com/uploads/1/3/0/3/130313149/womiset.pdf
    • http://nicolaheatharts.com/uploads/1/3/0/6/130639105/sowasivevip.pdf
    • http://countrychunkiecandle.com/uploads/1/3/0/5/130539696/130539696.html#add+bookmarks+to+pdf+freeware

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012b5.bin
b6bc3ac0a74a283ca0d9756d0adcc24efa4fc3b74793bc0c39e2cfdad3437501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B5 8296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.