Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bb40379d6d564f2…

MALICIOUS

PDF

53.5 KB Authoring application: OpenOffice Draw
MD5: 4380a1f4296bf6296fece373f12bd016 SHA-1: 056ba659adbb2c6fdb285ca81491bc785e105802 SHA-256: 9bb40379d6d564f2ed2df3516ae5a8670cd1da78b3b449b5f7dd18656183cebd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-driving intent. No scripts were extracted, and the document body content is heavily corrupted, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://laurenobee.com/uploads/1/3/0/6/130621630/c49b969e42182.pdf
    • http://vijufew.technicalproduction.ru/uploads/2020/01/29/9866465.pdf
    • http://keeperenergydrink.com/uploads/1/3/0/6/130604449/c600b43b0c8.pdf
    • http://thinkglobaly.com/uploads/1/3/0/6/130621666/0e62b3d59cf090.pdf
    • http://n26-acces-enligne.com/uploads/2020/01/28/a85284.pdf
    • http://floorcsi.com/uploads/1/3/0/6/130639308/d57b7ea7138.pdf
    • https://nezubizobuvawu.weebly.com/uploads/1/3/0/5/130539933/dusenirajed_xaxewewalapa_falimoga_vewir.pdf
    • http://priorityfolder894.weebly.com/uploads/1/3/0/6/130621800/c0f4d.pdf
    • https://devofalafuzami.weebly.com/uploads/1/3/0/5/130547659/lavobomabodiz.pdf
    • http://kotevamo.favorsvet.com/uploads/2020/01/28/369551.pdf
    • http://morriscorporatecenteriii.com/uploads/1/3/0/6/130604892/wafiz-bitoxerow.pdf
    • http://detailpoint.nl/uploads/1/3/0/5/130551127/2624338.pdf
    • http://lokuelos.com/uploads/1/3/0/2/130289741/4011512.pdf
    • http://themethodmeditation.com/uploads/1/3/0/4/130483973/rewida.pdf
    • http://giktarin.ru/uploads/2020/01/27/zadiroges-fejirawu-wotipatuzoba-biboni.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/3/130379294/130379294.html#battery+doctor+apk++apkpure

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014a1.bin
c7abb5b0cc1d0e466fee3ece51c476e70bd4a8073d3b40b84a9b3a6f16d12042		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A1 9932 bytes
font_01_sfnt_off00006337.bin
e9389566fbdd513621ac492e753e4ce5126640b6ff8a49c77e36d02545536365		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6337 12120 bytes
font_02_sfnt_off00007da8.bin
c1538cb76d1be22b4bb6303a869b23d709d10e23be43eef17069f92d26f60b2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DA8 4180 bytes
font_03_sfnt_off00008a35.bin
c770011c50217488db5959bba4e61ed648812afdb95fa3a605d8c0da010ab783		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A35 16116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.