Malicious PDF — malware analysis report

Static analysis result for SHA-256 9371b4fe6d6d805e…

MALICIOUS

PDF

52.4 KB Authoring application: LibreOffice
MD5: 5b446a1e642bb25d8f64985d1a9eefbd SHA-1: baf71eba1b38e0ab055ac454411a6907bace25cb SHA-256: 9371b4fe6d6d805ee8b9567849dc400fdd6d8c1ee472274c8d0f6407fc00167e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files on different domains. This indicates a link farm designed to redirect users to potentially malicious content. The ClamAV detection further supports its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are the primary indicators of compromise, suggesting a phishing or malware distribution campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chugachpt.com/uploads/1/3/0/6/130603975/ziwuzakoka.pdf
    • http://mychickenman.com/uploads/1/3/0/4/130435624/mubomugad.pdf
    • http://pet.2105ssshop07.fun/uploads/2020/01/28/4309551.pdf
    • http://mobowlusa.com/uploads/1/3/0/7/130739082/zuvunepogofozexavan.pdf
    • http://nursingarmpillow.com/uploads/1/3/0/4/130483207/130483207.html#away+in+a+manger+music+sheet+piano

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010c6.bin
4a9cb585ba70079e43df168470cfa78e25a2d3c8db20376bdba95382c97cba56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6 8520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.