Malicious PDF — malware analysis report

Static analysis result for SHA-256 9286a11373500124…

MALICIOUS

PDF

33.8 KB Authoring application: LibreOffice Draw
MD5: 918d622dcc10a86c3a370da8ecf135d1 SHA-1: 86340d14e701c22e860008e0f16c00e599317595 SHA-256: 9286a11373500124517a5ec53aa77e06ea291a75a81dccba82407d3eb9d7c86f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, many of which point to other PDF files, indicating a link farm designed to distribute malicious content. The ClamAV heuristic also flags this as Pdf.Phishing.TtraffRobotInstall, suggesting a phishing or traffic redirection scheme. The document body, though heavily obfuscated, contains references to movie downloads and includes many of the same URLs found in the heuristics, reinforcing the lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kbcornholegames.com/uploads/1/3/0/2/130287407/2137462.pdf
    • http://charlottesvilleostomysupport.com/uploads/1/3/0/5/130589032/1611518.pdf
    • http://mrsbalisalisa.com/uploads/1/3/0/5/130551586/95e4ea6.pdf
    • https://mudebemevikavis.weebly.com/uploads/1/3/0/6/130605353/minul.pdf
    • http://premierdraftroofing.com/uploads/1/3/0/4/130476277/zojagupab.pdf
    • http://catv47.com/uploads/1/3/0/2/130271031/3684693.pdf
    • http://barrelvisions.com/uploads/1/3/0/7/130740571/3480507.pdf
    • http://mynorthlakedemo.com/uploads/1/3/0/6/130604287/sezotituxiwujag.pdf
    • http://rakusu.filll.icu/uploads/2020/01/28/950f7acca788.pdf
    • http://sugarmommascookieco.com/uploads/1/3/0/5/130590561/rojezu.pdf
    • http://adrienneleigh.com/uploads/1/3/0/5/130552084/riponovuruzinun-sagorut-jugopita.pdf
    • http://rhythmjackson.com/uploads/1/3/0/5/130588640/130588640.html#oh+my+god+movie+download+foumovies

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012b4.bin
2c3950254252b83cdf95702daccddb25c1872e0c4b456931b16956b3b6907dbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B4 8528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.