Malicious PDF — malware analysis report

Static analysis result for SHA-256 98f591ddaa28e0b3…

MALICIOUS

PDF

40.1 KB Authoring application: LibreOffice Draw
MD5: 5e4b57bde5a50261a64bf3c0e3394312 SHA-1: 737ac7e48c9f7872569711ad4082d0aa3751f4b6 SHA-256: 98f591ddaa28e0b3c797a5d8f827498efbbac2c5b7f266e08a7d72cbea25e04f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified by ClamAV as Pdf.Phishing.TtraffRobotInstall. The critical heuristic PDF_SEO_LINK_FARM indicates the presence of a large number of external links, with the primary domain being expat.life. These links are likely used to redirect users to phishing or malware-hosting sites, a common tactic for distributing malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://expat.life/uploads/1/3/0/6/130620690/40fa90db1c6b813.pdf
    • http://givingfair.org/uploads/1/3/0/6/130639368/kezugimapawe.pdf
    • http://nointernetweek.com/uploads/1/3/0/3/130313284/wevadig.pdf
    • http://mihiomanus.com/uploads/1/3/0/8/130874379/fakipo_neganuzutipi.pdf
    • http://hostmaster.melbatheater.org/uploads/1/3/0/5/130588286/7e909a.pdf
    • http://seedtoatree.com/uploads/1/3/0/5/130550792/32e5829fec7757d.pdf
    • http://rightmovecolorado.com/uploads/1/3/0/8/130874126/4722077.pdf
    • http://iqcu.net/uploads/1/3/0/6/130639845/91ead02e4a19c0.pdf
    • http://sportswithme.com/uploads/1/3/0/5/130588571/tesiru.pdf
    • http://bountyhuntersmovie.com/uploads/1/3/0/6/130639558/jikusekem.pdf
    • http://sitedevelopmentportal.com/uploads/1/3/0/2/130287808/6c8b05da.pdf
    • http://www.famlasport.com/uploads/1/3/0/7/130739923/1294877.pdf
    • http://jirinovak-org.davidmichaeldesigns.com/uploads/1/3/0/8/130813888/fegenelozeri-nogorasamonu.pdf
    • http://zdiagnostics.com/uploads/1/3/0/4/130477234/bonuzi.pdf
    • http://marriagemotherhoodmenopause.com/uploads/1/3/0/5/130551096/bd6dea4a20.pdf
    • http://stirlingmarineconsultancy.com/uploads/1/3/0/7/130776809/1816325.pdf
    • http://protalis.com/uploads/1/3/0/6/130621826/3507834.pdf
    • http://sophiaeportfolio.com/uploads/1/3/0/7/130776006/4928890.pdf
    • http://ninapouesi.com/uploads/1/3/0/6/130621579/jujelifafikijor-vafore-jigelituvadu-ruteregu.pdf
    • http://thehikinghousewife.com/uploads/1/3/0/6/130604667/sulanojuwiki.pdf
    • http://whybrandingfails.com/uploads/1/3/0/6/130604427/130604427.html#prophylactic+treatment+of+rheumatic+fever

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003106.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3106 2864 bytes
font_01_sfnt_off00003d8e.bin
123595519f13b9f524da6f51a7df1e27bf12758c0fc958ec62eb8919968f4cb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D8E 7788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.