Malicious PDF — malware analysis report

Static analysis result for SHA-256 93b1e090eebdc1fc…

MALICIOUS

PDF

42.9 KB Authoring application: OpenOffice Draw
MD5: 7832b79b4ce8f4156dde7b6c6247044d SHA-1: 1bf4543a48d325e3c86d440fd26eb1a2f13840fd SHA-256: 93b1e090eebdc1fca5fef3443748e54cf7d0da122ba93cb3d28049f456c2d42c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains a large number of embedded links to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection also flags this as a phishing-related threat. The document body contains text related to Casio calculators but also includes numerous URLs that are likely part of a link farm or phishing campaign. The primary intent appears to be directing users to a large collection of external PDFs hosted on various domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gov.ancientstudio.online/uploads/2020/01/28/kunegemurexobur_wuxixusuve.pdf
    • https://zilelaxogiv.weebly.com/uploads/1/3/0/4/130489019/volix_gotewesowine_rawaf.pdf
    • http://liki.helpsinstagram.com/uploads/2020/01/28/8727d0130.pdf
    • http://rewesotewa.telelistamg.com/uploads/2020/01/28/degota.pdf
    • http://nav.proxymaniacs.com/uploads/2020/01/28/d736bf4959.pdf
    • http://judig.tamita-tami.pro/uploads/2020/01/28/tawatogofimikivuwes.pdf
    • https://pemotarasowe.weebly.com/uploads/1/3/0/4/130476395/nudadojopedomal_tefezudisovo_zogoxe_xunejakev.pdf
    • http://dadipi.ars-shipping.com/uploads/2020/01/28/moxapijideboza.pdf
    • https://nugojorazum.weebly.com/uploads/1/3/0/5/130551192/pewik_rilitemibufel_zugafuwa.pdf
    • http://xibat.longislandremoval.com/uploads/2020/01/28/a087e4b877c1.pdf
    • http://lurul.formgrind.pro/uploads/2020/01/28/detom_funabezerowad_mikon.pdf
    • https://rafilaluxonijew.weebly.com/uploads/1/3/0/4/130476150/130476150.html#manual+casio+fx+85gt+plus
    • http://edu.casio.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013c8.bin
e5664c081e8be3351ed23a0a995b0774678ae382cfe48ce9124f3c107fc1e64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C8 9336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.