Malicious PDF — malware analysis report

Static analysis result for SHA-256 95eb1a63c5fdfac4…

MALICIOUS

PDF

38.7 KB Authoring application: LibreOffice Draw
MD5: 7f566729704e6c5467e53a2ee6311cd2 SHA-1: c81838d72e1f1b8ff252b1c81bfba8c4c61d1af8 SHA-256: 95eb1a63c5fdfac4ba1b91c31e35a61a7fe14e5e43a2f55f69d24453deb1d53d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further suggests a malicious intent, likely related to phishing or traffic redirection. The document body is heavily obfuscated and does not provide clear user-facing text, but the presence of numerous links points to a strategy of overwhelming the user with choices or manipulating search engine results.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stonelakecounseling.com/uploads/1/3/0/5/130539842/0d825.pdf
    • http://thebesticecreamandcoffeesolvang.com/uploads/1/3/0/5/130542775/rutigelesim-tobilak.pdf
    • http://www.josephandsaratracy.com/uploads/1/3/0/4/130489431/7395967.pdf
    • http://pisec.org/uploads/1/3/0/6/130620888/7659142.pdf
    • http://lkradio.online/uploads/1/3/0/6/130603982/vokexebi-waral.pdf
    • http://humancapitalthink.com/uploads/1/3/0/7/130739928/tutilanem_nebejorez_zijujiletagil.pdf
    • http://kimscoastalcreations.com/uploads/1/3/0/3/130323449/8622120.pdf
    • http://movingmindsdance.com/uploads/1/3/0/4/130476347/6309373.pdf
    • http://kenbugulfilm.com/uploads/1/3/0/6/130621906/maxip.pdf
    • http://scumofus.org/uploads/1/3/0/6/130604928/wawajukezotav.pdf
    • http://candicemoss.com/uploads/1/3/0/7/130739462/sokekikari.pdf
    • http://anitacbaker.com/uploads/1/3/0/5/130538994/8214716.pdf
    • http://stephengilardi.com/uploads/1/3/0/4/130489386/telumasigubome.pdf
    • http://nicolasintheoldmarket.com/uploads/1/3/0/6/130604798/jomalubusitumabunu.pdf
    • http://nubeginningfarm.com/uploads/1/3/0/7/130776328/tozibapuxixivaso.pdf
    • http://onlinelarry.net/uploads/1/3/0/5/130547624/jovowoburo.pdf
    • http://napierpharmacy.co.nz/uploads/1/3/0/6/130605388/7d8db5bf632.pdf
    • http://dock84.pleasingfood.com/uploads/1/3/0/8/130874368/130874368.html#alcatel+u5+premium+4g

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038bc.bin
8362a71f1f378e7c403f5032c67633e93aff2fe0530fd8a43de9e7b9151eb62b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38BC 8588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.