Malicious PDF — malware analysis report

Static analysis result for SHA-256 9524fe46ad63f334…

MALICIOUS

PDF

69.8 KB Authoring application: LibreOffice Draw
MD5: 85276953b2ca1afc0d425d30d886ee89 SHA-1: 58accbe08070628dc108a1577d85866b263ff9a7 SHA-256: 9524fe46ad63f334d187b952e45e73e8c97edd417da8225a5fac52989232c32b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent. The primary purpose appears to be directing users to a network of external PDF files, likely for SEO spam or phishing campaigns.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fejibese.rentkazan.com/uploads/2020/01/28/441ca2de202cd9.pdf
    • http://tovevatil.s-us.ru/uploads/2020/01/27/wofopurigoraforu.pdf
    • https://wiwizizunenitu.weebly.com/uploads/1/3/0/4/130436525/nirofafum.pdf
    • http://ked.amxbtc.com/uploads/2020/01/27/budunotavod.pdf
    • http://richlinehome.ru/uploads/2020/01/27/3dc9ba3fe408f06.pdf
    • http://topobifu.vipiski-besplatno26.icu/uploads/2020/01/28/mazomuzesalu.pdf
    • https://puxotimav.weebly.com/uploads/1/3/0/4/130476661/womopodokiwufar_fudutasow_vajixewixefa.pdf
    • http://cfcfbla.com/uploads/1/3/0/2/130287285/1158626.pdf
    • https://juxoreritu.weebly.com/uploads/1/3/0/5/130540814/5027494.pdf
    • http://whyyousosalty.com/uploads/1/3/0/6/130621684/tapenebozerovosoxime.pdf
    • http://trichardsonradiocom.com/uploads/1/3/0/5/130540699/gutewaji-vugonezibogak-xuwoweki-wizomaf.pdf
    • http://sume.rucrime.top/uploads/2020/01/28/fabcb342.pdf
    • http://relunox.goverted.ru/uploads/2020/01/28/fojaxejizog_nesiti_sebaguruzoze.pdf
    • https://xidivaxefizidos.weebly.com/uploads/1/3/0/4/130476130/802a8a50bd0.pdf
    • http://supulena.stoloto.info/uploads/2020/01/29/3950604.pdf
    • http://vastgoedstyling-decoathome.com/uploads/1/3/0/5/130544541/mebuvosibote_nezeb_tikeseje.pdf
    • http://ruses.pekingese.ru/uploads/2020/01/27/valaxabenuginor-valifin.pdf
    • http://rasogu.3destate.ru/uploads/2020/01/27/4362852.pdf
    • http://aowselectnow.com/uploads/1/3/0/5/130539659/vewabavidodarikosun.pdf
    • http://0pi.online/uploads/2020/01/29/jiwuxazakuje.pdf
    • https://zubusolawabojev.weebly.com/uploads/1/3/0/4/130436218/fesameputupajo_mojasisutason.pdf
    • https://narojeli.weebly.com/uploads/1/3/0/6/130603945/2764683.pdf
    • http://nateas.ru/uploads/2020/01/27/7283387.pdf
    • http://massagerus.net/uploads/1/3/0/4/130478882/vobor.pdf
    • http://104450345337014885.com/uploads/1/3/0/5/130588700/130588700.html#%D8%B3%D9%83%D8%B3+%D8%A8%D9%8A%D9%88%D8%AA+%D8%AF%D8%B9%D8%A7%D8%B1%D8%A9+%D9%85%D9%82%D9%88%D9%84%D8%A9

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000ac12.bin
724da9f7f1334546d3bce0a8addce1237bc665d6f9e8183cc8bad4678f3aec68		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAC12 33388 bytes
font_00_sfnt_off000017f5.bin
44fd8ba9c8aa6a0e4b792c544adb75d745d3ad60db3b65c39bf7da2d6a585715		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17F5 6176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.